cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1288
Views
5
Helpful
10
Replies
Beginner

Unable to add another line to an existing NAT ACL

Hi guys,

As part of our PCI compliance, we were required to add a line to all of our ACLs in our ASA 5520 running version 8.2(3). Though there is an implicit deny all, we had to add a line to deny from any source to any destination.

We had no problems in adding the additional deny all statements except for our NAT access-list. This NAT access list is used for our internet connection.

Currently, the NAT ACL has 4 entries to permit from a specified source to destination any. This ACL is then called on our NAT statement.

nat (inside) 1 access-list NAT

Also, note that NAT control is in place and we also have NAT zero statements for our VPN connections.

So to fulfill our requirements, we just had to add another line to our ACL entries. But we encountered an issue with our NAT acl.

"access-list NAT line 100 extended deny ip any any"

After applying that statement above, our users can't access the internet anymore. Upon checking the running-config, the NAT statements were gone. My colleague tried adding the NAT statement, but it won't accept it. We had to revert it back for our users to gain access to the internet again.

So currently, all the deny all statemens for our ACLs are in place except the NAT acl. I wasn't there so I wasn't able to see the exact error messages.

Has anyone experienced this?

Everyone's tags (3)
3 ACCEPTED SOLUTIONS

Accepted Solutions
Mentor

Unable to add another line to an existing NAT ACL

Hi,

You cant use "deny" statements in Policy NAT configurations which you are using in your default PAT or NAT rule (cant see the "global" configuration line)

If you really want to control the source IP addresses that will be NATed/PATed then you can simply use multiple "nat" lines with the same ID number for the NAT configuration. This would let you control which source IP address fit the translation rule.

- Jouni

Mentor

Re: Unable to add another line to an existing NAT ACL

Hi,

I am still trying to find the Cisco document to give you the exact section where Cisco states that "deny" cant be used in Policy type NATs/PATs. It can be used in NAT0 configurations but NOT in Policy NAT/PAT configurations.

Basically this PAT configuration

global (outside) 1 1.1.1 netmask 255.255.255.255

global (backup-isp) 1 interface

nat (inside) 1 access-list NAT

access-list NAT extended permit ip 172.28.2.0 255.255.255.0 any

access-list NAT extended permit ip 192.168.145.0 255.255.255.0 any

access-list NAT extended permit ip 10.250.32.0 255.255.248.0 any

access-list NAT extended permit ip host 192.168.30.253 any

access-list NAT extended permit ip 172.28.4.0 255.255.255.0 any

Could be done like this also

global (outside) 1 1.1.1 netmask 255.255.255.255

global (backup-isp) 1 interface

nat (inside) 1 172.28.2.0 255.255.255.0

nat (inside) 1 192.168.145.0 255.255.255.0

nat (inside) 1 10.250.32.0 255.255.248.0

nat (inside) 1 192.168.30.253 255.255.255.255

nat (inside) 1 172.28.4.0 255.255.255.0

- Jouni

Mentor

Unable to add another line to an existing NAT ACL

Hi,

Its actually mentioned in some old Command References. Though while I checked the same command for other software versions it doesnt list the thing anymore even though I presume it applies still

Heres the section that mentions about the use of "deny" in NAT related ACLs. See the section mentioning the "access-list"

nat

Associate a network with a pool of global IP addresses.

[no] nat [(local_interface)] id local_ip [mask [dns] [outside |  [norandomseq] [max_conns [emb_limit]]]]

[no] nat [(local_interface)] id access-list acl_name [dns] [outside |  [norandomseq] [max_conns [emb_limit]]]

[no] nat [(local_interface)] 0 access-list acl_name [outside]

clear nat

show nat

Syntax Description


access-list

Lets you identify local traffic for network address translation (NAT) by  specifying the local and destination addresses (or ports). This feature  is known as policy NAT.

Note Use  NAT exemption (nat 0 access-list) with the ACL deny statement but not  with policy NAT. Use port selectors with policy NAT but not with NAT  Excemption.

You can only include permit statements in the access list.

Local traffic is matched to the first matching policy NAT statement. See the "Order of NAT Commands Used to Match Local Addresses" section for more information.

Source:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129

And its "he" not "she"

- Jouni

10 REPLIES 10
Mentor

Unable to add another line to an existing NAT ACL

Hi,

You cant use "deny" statements in Policy NAT configurations which you are using in your default PAT or NAT rule (cant see the "global" configuration line)

If you really want to control the source IP addresses that will be NATed/PATed then you can simply use multiple "nat" lines with the same ID number for the NAT configuration. This would let you control which source IP address fit the translation rule.

- Jouni

Highlighted
Beginner

Unable to add another line to an existing NAT ACL

thanks for the response. Here's the additional info:

nat (inside) 0 access-list NONAT

nat (inside) 1 access-list NAT

nat (inside) 2 10.105.11.200 255.255.255.255

global (outside) 1 1.1.1 netmask 255.255.255.255

global (backup-isp) 1 interface

global (backup-isp) 2 2.2.2 netmask 255.255.255.255

So we can't add the deny all on "NAT" acl right? currently, our NAT acl is these:

access-list NAT extended permit ip 172.28.2.0 255.255.255.0 any

access-list NAT extended permit ip 192.168.145.0 255.255.255.0 any

access-list NAT extended permit ip 10.250.32.0 255.255.248.0 any

access-list NAT extended permit ip host 192.168.30.253 any

access-list NAT extended permit ip 172.28.4.0 255.255.255.0 any

Mentor

Re: Unable to add another line to an existing NAT ACL

Hi,

I am still trying to find the Cisco document to give you the exact section where Cisco states that "deny" cant be used in Policy type NATs/PATs. It can be used in NAT0 configurations but NOT in Policy NAT/PAT configurations.

Basically this PAT configuration

global (outside) 1 1.1.1 netmask 255.255.255.255

global (backup-isp) 1 interface

nat (inside) 1 access-list NAT

access-list NAT extended permit ip 172.28.2.0 255.255.255.0 any

access-list NAT extended permit ip 192.168.145.0 255.255.255.0 any

access-list NAT extended permit ip 10.250.32.0 255.255.248.0 any

access-list NAT extended permit ip host 192.168.30.253 any

access-list NAT extended permit ip 172.28.4.0 255.255.255.0 any

Could be done like this also

global (outside) 1 1.1.1 netmask 255.255.255.255

global (backup-isp) 1 interface

nat (inside) 1 172.28.2.0 255.255.255.0

nat (inside) 1 192.168.145.0 255.255.255.0

nat (inside) 1 10.250.32.0 255.255.248.0

nat (inside) 1 192.168.30.253 255.255.255.255

nat (inside) 1 172.28.4.0 255.255.255.0

- Jouni

Beginner

Unable to add another line to an existing NAT ACL

thanks for this Jouni. I was able to read that document earlier when I was skimming through google search. I can't find it back though. Please share with me once you're able to locate it so I can share it with my colleagues. Thanks.

Participant

Unable to add another line to an existing NAT ACL

Hello,

The "implicit deny all" applies for ACL on the interface not in general. If you have an ACL matching source/destination IP against a NAT rule everything that is not included on the ACL will be dropped by the ASA on the NAT phase, if the deny statement was added at the end of the ACL's it shouldn’t affect your user since the permit rules are first.

We need to look at the NAT and ACL’s when the problem was happening otherwise it’s hard to give a full diagnostic or find out a root cause.

In other words, the deny ip any any rule if it is at the end it shouldn’t affect your network operation and internet access.

Regards,

Juan Lombana

Please rate helpful posts.

Beginner

Unable to add another line to an existing NAT ACL

perhaps the reason why the users were affected was that when my colleague checked the running config, after adding the deny statement on the NAT acl, the "nat (inside) 1 access-list NAT" was removed apparently. And when he tried adding that statement, the cli won't allow it. He had to remove the deny statement on the NAT acl before he can add the policy NAT entry.

I've read somewhere that we can't apply "deny" statements on a NAT acl. I'm trying to look again for it though.

Participant

Unable to add another line to an existing NAT ACL

You can apply "deny" ACL however it never takes effect, it doesn’t work on policy NAT, My point was that since it doesn’t take effect it shouldn’t affect your network operation then.

Regards,

Juan Lombana

Beginner

Unable to add another line to an existing NAT ACL

apparently, when we apply the deny statement on the NAT acl, the NAT policy is removed on the running config. When you add it to the running config, it doesn't add the command. We have to remove the deny statement on the NAT ACL before the ASA can accept the NAT policy configuration.

perhaps, Jouni might be right, though she's still looking for the document to supplement this.

Mentor

Unable to add another line to an existing NAT ACL

Hi,

Its actually mentioned in some old Command References. Though while I checked the same command for other software versions it doesnt list the thing anymore even though I presume it applies still

Heres the section that mentions about the use of "deny" in NAT related ACLs. See the section mentioning the "access-list"

nat

Associate a network with a pool of global IP addresses.

[no] nat [(local_interface)] id local_ip [mask [dns] [outside |  [norandomseq] [max_conns [emb_limit]]]]

[no] nat [(local_interface)] id access-list acl_name [dns] [outside |  [norandomseq] [max_conns [emb_limit]]]

[no] nat [(local_interface)] 0 access-list acl_name [outside]

clear nat

show nat

Syntax Description


access-list

Lets you identify local traffic for network address translation (NAT) by  specifying the local and destination addresses (or ports). This feature  is known as policy NAT.

Note Use  NAT exemption (nat 0 access-list) with the ACL deny statement but not  with policy NAT. Use port selectors with policy NAT but not with NAT  Excemption.

You can only include permit statements in the access list.

Local traffic is matched to the first matching policy NAT statement. See the "Order of NAT Commands Used to Match Local Addresses" section for more information.

Source:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129

And its "he" not "she"

- Jouni

Beginner

Unable to add another line to an existing NAT ACL

oh sorry bro.

thank you so much for the reference.