Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2308
Views
5
Helpful
10
Replies

Unable to add another line to an existing NAT ACL

Go to solution
n3tw0rkguy83
Level 1
Level 1

‎03-27-2013 06:51 AM - edited ‎03-11-2019 06:20 PM

Hi guys,

As part of our PCI compliance, we were required to add a line to all of our ACLs in our ASA 5520 running version 8.2(3). Though there is an implicit deny all, we had to add a line to deny from any source to any destination.

We had no problems in adding the additional deny all statements except for our NAT access-list. This NAT access list is used for our internet connection.

Currently, the NAT ACL has 4 entries to permit from a specified source to destination any. This ACL is then called on our NAT statement.

nat (inside) 1 access-list NAT

Also, note that NAT control is in place and we also have NAT zero statements for our VPN connections.

So to fulfill our requirements, we just had to add another line to our ACL entries. But we encountered an issue with our NAT acl.

"access-list NAT line 100 extended deny ip any any"

After applying that statement above, our users can't access the internet anymore. Upon checking the running-config, the NAT statements were gone. My colleague tried adding the NAT statement, but it won't accept it. We had to revert it back for our users to gain access to the internet again.

So currently, all the deny all statemens for our ACLs are in place except the NAT acl. I wasn't there so I wasn't able to see the exact error messages.

Has anyone experienced this?

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎03-27-2013 06:59 AM

Hi,

You cant use "deny" statements in Policy NAT configurations which you are using in your default PAT or NAT rule (cant see the "global" configuration line)

If you really want to control the source IP addresses that will be NATed/PATed then you can simply use multiple "nat" lines with the same ID number for the NAT configuration. This would let you control which source IP address fit the translation rule.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to n3tw0rkguy83

‎03-27-2013 07:17 AM

Hi,

I am still trying to find the Cisco document to give you the exact section where Cisco states that "deny" cant be used in Policy type NATs/PATs. It can be used in NAT0 configurations but NOT in Policy NAT/PAT configurations.

Basically this PAT configuration

global (outside) 1 1.1.1 netmask 255.255.255.255

global (backup-isp) 1 interface

nat (inside) 1 access-list NAT

access-list NAT extended permit ip 172.28.2.0 255.255.255.0 any

access-list NAT extended permit ip 192.168.145.0 255.255.255.0 any

access-list NAT extended permit ip 10.250.32.0 255.255.248.0 any

access-list NAT extended permit ip host 192.168.30.253 any

access-list NAT extended permit ip 172.28.4.0 255.255.255.0 any

Could be done like this also

global (outside) 1 1.1.1 netmask 255.255.255.255

global (backup-isp) 1 interface

nat (inside) 1 172.28.2.0 255.255.255.0

nat (inside) 1 192.168.145.0 255.255.255.0

nat (inside) 1 10.250.32.0 255.255.248.0

nat (inside) 1 192.168.30.253 255.255.255.255

nat (inside) 1 172.28.4.0 255.255.255.0

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to n3tw0rkguy83

‎03-29-2013 03:23 PM

Hi,

Its actually mentioned in some old Command References. Though while I checked the same command for other software versions it doesnt list the thing anymore even though I presume it applies still

Heres the section that mentions about the use of "deny" in NAT related ACLs. See the section mentioning the "access-list"

 nat 


 Associate a network with a pool of global IP addresses. 


[no] nat [(local_interface)] id local_ip [mask [dns] [outside |  [norandomseq] [max_conns [emb_limit]]]] 


[no] nat [(local_interface)] id access-list acl_name [dns] [outside |  [norandomseq] [max_conns [emb_limit]]] 


[no] nat [(local_interface)] 0 access-list acl_name [outside] 


clear nat 


show nat 


 Syntax Description


 





 access-list 




 Lets you identify local traffic for network address translation (NAT) by  specifying the local and destination addresses (or ports). This feature  is known as policy NAT. 



 Note Use  NAT exemption (nat 0 access-list) with the ACL deny statement but not  with policy NAT. Use port selectors with policy NAT but not with NAT  Excemption. 



 You can only include permit statements in the access list. 



 Local traffic is matched to the first matching policy NAT statement. See the "Order of NAT Commands Used to Match Local Addresses" section for more information.

Source:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129

And its "he" not "she"

- Jouni

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎03-27-2013 06:59 AM

Hi,

You cant use "deny" statements in Policy NAT configurations which you are using in your default PAT or NAT rule (cant see the "global" configuration line)

If you really want to control the source IP addresses that will be NATed/PATed then you can simply use multiple "nat" lines with the same ID number for the NAT configuration. This would let you control which source IP address fit the translation rule.

- Jouni

0 Helpful

Go to solution
n3tw0rkguy83
Level 1
Level 1
In response to Jouni Forss

‎03-27-2013 07:11 AM

thanks for the response. Here's the additional info:

nat (inside) 0 access-list NONAT

nat (inside) 1 access-list NAT

nat (inside) 2 10.105.11.200 255.255.255.255

global (outside) 1 1.1.1 netmask 255.255.255.255

global (backup-isp) 1 interface

global (backup-isp) 2 2.2.2 netmask 255.255.255.255

So we can't add the deny all on "NAT" acl right? currently, our NAT acl is these:

access-list NAT extended permit ip 172.28.2.0 255.255.255.0 any

access-list NAT extended permit ip 192.168.145.0 255.255.255.0 any

access-list NAT extended permit ip 10.250.32.0 255.255.248.0 any

access-list NAT extended permit ip host 192.168.30.253 any

access-list NAT extended permit ip 172.28.4.0 255.255.255.0 any

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to n3tw0rkguy83

‎03-27-2013 07:17 AM

Hi,

I am still trying to find the Cisco document to give you the exact section where Cisco states that "deny" cant be used in Policy type NATs/PATs. It can be used in NAT0 configurations but NOT in Policy NAT/PAT configurations.

Basically this PAT configuration

global (outside) 1 1.1.1 netmask 255.255.255.255

global (backup-isp) 1 interface

nat (inside) 1 access-list NAT

access-list NAT extended permit ip 172.28.2.0 255.255.255.0 any

access-list NAT extended permit ip 192.168.145.0 255.255.255.0 any

access-list NAT extended permit ip 10.250.32.0 255.255.248.0 any

access-list NAT extended permit ip host 192.168.30.253 any

access-list NAT extended permit ip 172.28.4.0 255.255.255.0 any

Could be done like this also

global (outside) 1 1.1.1 netmask 255.255.255.255

global (backup-isp) 1 interface

nat (inside) 1 172.28.2.0 255.255.255.0

nat (inside) 1 192.168.145.0 255.255.255.0

nat (inside) 1 10.250.32.0 255.255.248.0

nat (inside) 1 192.168.30.253 255.255.255.255

nat (inside) 1 172.28.4.0 255.255.255.0

- Jouni

0 Helpful

Go to solution
n3tw0rkguy83
Level 1
Level 1
In response to Jouni Forss

‎03-27-2013 07:29 AM

thanks for this Jouni. I was able to read that document earlier when I was skimming through google search. I can't find it back though. Please share with me once you're able to locate it so I can share it with my colleagues. Thanks.

0 Helpful

Go to solution
julomban
Level 3
Level 3

‎03-27-2013 07:07 AM

Hello,

The "implicit deny all" applies for ACL on the interface not in general. If you have an ACL matching source/destination IP against a NAT rule everything that is not included on the ACL will be dropped by the ASA on the NAT phase, if the deny statement was added at the end of the ACL's it shouldn’t affect your user since the permit rules are first.

We need to look at the NAT and ACL’s when the problem was happening otherwise it’s hard to give a full diagnostic or find out a root cause.

In other words, the deny ip any any rule if it is at the end it shouldn’t affect your network operation and internet access.

Regards,

Juan Lombana

Please rate helpful posts.

Go to solution
n3tw0rkguy83
Level 1
Level 1
In response to julomban

‎03-27-2013 07:25 AM

perhaps the reason why the users were affected was that when my colleague checked the running config, after adding the deny statement on the NAT acl, the "nat (inside) 1 access-list NAT" was removed apparently. And when he tried adding that statement, the cli won't allow it. He had to remove the deny statement on the NAT acl before he can add the policy NAT entry.

I've read somewhere that we can't apply "deny" statements on a NAT acl. I'm trying to look again for it though.

0 Helpful

Go to solution
julomban
Level 3
Level 3
In response to n3tw0rkguy83

‎03-27-2013 07:50 AM

You can apply "deny" ACL however it never takes effect, it doesn’t work on policy NAT, My point was that since it doesn’t take effect it shouldn’t affect your network operation then.

Regards,

Juan Lombana

0 Helpful

Go to solution
n3tw0rkguy83
Level 1
Level 1
In response to julomban

‎03-29-2013 02:54 PM

apparently, when we apply the deny statement on the NAT acl, the NAT policy is removed on the running config. When you add it to the running config, it doesn't add the command. We have to remove the deny statement on the NAT ACL before the ASA can accept the NAT policy configuration.

perhaps, Jouni might be right, though she's still looking for the document to supplement this.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to n3tw0rkguy83

‎03-29-2013 03:23 PM

Hi,

Its actually mentioned in some old Command References. Though while I checked the same command for other software versions it doesnt list the thing anymore even though I presume it applies still

Heres the section that mentions about the use of "deny" in NAT related ACLs. See the section mentioning the "access-list"

 nat 


 Associate a network with a pool of global IP addresses. 


[no] nat [(local_interface)] id local_ip [mask [dns] [outside |  [norandomseq] [max_conns [emb_limit]]]] 


[no] nat [(local_interface)] id access-list acl_name [dns] [outside |  [norandomseq] [max_conns [emb_limit]]] 


[no] nat [(local_interface)] 0 access-list acl_name [outside] 


clear nat 


show nat 


 Syntax Description


 





 access-list 




 Lets you identify local traffic for network address translation (NAT) by  specifying the local and destination addresses (or ports). This feature  is known as policy NAT. 



 Note Use  NAT exemption (nat 0 access-list) with the ACL deny statement but not  with policy NAT. Use port selectors with policy NAT but not with NAT  Excemption. 



 You can only include permit statements in the access list. 



 Local traffic is matched to the first matching policy NAT statement. See the "Order of NAT Commands Used to Match Local Addresses" section for more information.

Source:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129

And its "he" not "she"

- Jouni

0 Helpful

Go to solution
n3tw0rkguy83
Level 1
Level 1
In response to Jouni Forss

‎03-30-2013 02:05 PM

oh sorry bro.

thank you so much for the reference.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card