Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3326
Views
0
Helpful
4
Replies

8.3+ NAT - Auto NAT Order and Static PAT

Go to solution
eddie.harmoush
Level 1
Level 1

‎03-18-2013 01:58 PM - edited ‎03-11-2019 06:15 PM

Hi all,

I'm having a hard time pinpointing the exact method of ordering AutoNAT entries that include Static PAT.  Since you can't add line numbers to AutoNAT policies, how are they ordered in the "show nat" command?  Do AutoNAT entries follow the order they are configured?  Do they follow the order the Object's themselves are configured?  Is there some other underlying method of determining their order.

Here is what I mean:

I have a traditional static translation which translates all ports from the mapped address of 11.11.11.11 to the real address of 1.1.1.1.  I also have a static PAT set up so the mapped port/IP of 11.11.11.11:8080 translates to the real port/IP of 1.1.1.1:80.

student-12# show run object

object network ONE

host 1.1.1.1

object network TWO

host 1.1.1.1


student-12# show run nat

object network ONE

nat (inside,outside) static 11.11.11.11

object network TWO

nat (inside,outside) static 11.11.11.11 service tcp www 8080


student-12# show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static ONE 11.11.11.11

    translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source static TWO 11.11.11.11   service tcp www 8080

    translate_hits = 0, untranslate_hits = 0

Notice, the AutoNAT output from "show nat" shows me my static pat will never work, as traffic will match.  The order they are entered into the translation table is the order in which the object and nat configurations exist.

Here, however, I configured object "two" first, and its correlating NAT before configuring object "one".  Notice, the order they appear in "show nat" is reversed from the order they are configured:

student-12#   show run object

object network TWO

host 1.1.1.1

object network ONE

host 1.1.1.1


student-12#   show run nat

object network TWO

nat (inside,outside) static 11.11.11.11 service tcp www 8080

object network ONE

nat (inside,outside) static 11.11.11.11


student-12#   show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static ONE 11.11.11.11

    translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source static TWO 11.11.11.11   service tcp www 8080

    translate_hits = 0, untranslate_hits = 0

Could someone explain to me the way ordering works for AutoNAT entries?

For the record, I understand I could simply do the static PAT with Manual NAT to get it to show up in section 1.  I'm not interested in that, I'm interested in the specifics for how AutoNAT is ordered in 8.3+ code.

Any help would be appreciated.  Thanks.

--Eddie

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎03-18-2013 02:37 PM

Hi,

I am actually writing a document to the Firewall section about this. Or atleast trying to. I am aiming to finish it during this week though seems I have to change something all the time.

On to the actual topic.

While the Cisco ASA documentation states the order of the Object Network NAT it doesnt go to as specific information as it could. For example mention the Static PAT vs. Static NAT...

It does seem that your case would get matched by the very last parameter Cisco states.

And that is funny enough the alphabetical order of the Network Object name. Which would mean that "object network ONE" comes before "object network TWO" since O is before T.

In general the deciding factors are in order

  • Static
  • Dynamic

Inside the mentioned types

  • Number of addresses in object
  • If above is equal then the lowest numerical address
  • If both above are equal then the alphabetical order of the "object network" name is the final deciding factor

So if you change your configuration to this

object network ONE

host 1.1.1.1

nat (inside,outside) static 11.11.11.11 service tcp www 8080

object network TWO

host 1.1.1.1

nat (inside,outside) static 11.11.11.11

Then your NAT rules will be matched in order

  • Static PAT
  • Static NAT

Notice that this does not have anything to do with the order they are configured. The ASA does the ordering again when you enter a new configuration and it might or might not alter the order of the already existing rules.

Hope this helps If so, please remember to rate

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎03-18-2013 02:37 PM

Hi,

I am actually writing a document to the Firewall section about this. Or atleast trying to. I am aiming to finish it during this week though seems I have to change something all the time.

On to the actual topic.

While the Cisco ASA documentation states the order of the Object Network NAT it doesnt go to as specific information as it could. For example mention the Static PAT vs. Static NAT...

It does seem that your case would get matched by the very last parameter Cisco states.

And that is funny enough the alphabetical order of the Network Object name. Which would mean that "object network ONE" comes before "object network TWO" since O is before T.

In general the deciding factors are in order

  • Static
  • Dynamic

Inside the mentioned types

  • Number of addresses in object
  • If above is equal then the lowest numerical address
  • If both above are equal then the alphabetical order of the "object network" name is the final deciding factor

So if you change your configuration to this

object network ONE

host 1.1.1.1

nat (inside,outside) static 11.11.11.11 service tcp www 8080

object network TWO

host 1.1.1.1

nat (inside,outside) static 11.11.11.11

Then your NAT rules will be matched in order

  • Static PAT
  • Static NAT

Notice that this does not have anything to do with the order they are configured. The ASA does the ordering again when you enter a new configuration and it might or might not alter the order of the already existing rules.

Hope this helps If so, please remember to rate

- Jouni

0 Helpful

Go to solution
eddie.harmoush
Level 1
Level 1
In response to Jouni Forss

‎03-18-2013 03:00 PM

Wow, so thats it then, the exact answer I was looking for.  I can't say I'm all to excited about the decision to go that route with NAT ordering.  Everything within the 3 section and the line numbers of Manual NAT was so simple, but now you have this.  =/  Oh well, at least I know now.  Thank you for your response, Jouni, looking forward to seeing the rest of your NAT document

Here is some additional testing confirming things:

student-12#  show run nat

object network DYN-range

nat (inside,outside) dynamic 11.11.11.3

object network aDYN-range

nat (inside,outside) dynamic 11.11.11.2

object network DYN-host

nat (inside,outside) dynamic 11.11.11.1

object network STATIC-host

nat (inside,outside) static 11.11.11.50

object network ASTATIC-host

nat (inside,outside) static 11.11.11.50 service tcp 55 5050

object network ZSTATIC-host

nat (inside,outside) static 11.11.11.50 service tcp 66 6060

1 (inside) to (outside) source static ASTATIC-host 11.11.11.50   service tcp 55 5050

    translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source static STATIC-host 11.11.11.50

    translate_hits = 0, untranslate_hits = 0

3 (inside) to (outside) source static ZSTATIC-host 11.11.11.50   service tcp 66 6060

    translate_hits = 0, untranslate_hits = 0

4 (inside) to (outside) source dynamic DYN-host 11.11.11.1

    translate_hits = 0, untranslate_hits = 0

5 (inside) to (outside) source dynamic DYN-range 11.11.11.3

    translate_hits = 0, untranslate_hits = 0

6 (inside) to (outside) source dynamic aDYN-range 11.11.11.2

    translate_hits = 0, untranslate_hits = 0

Really not excited about the results of ASTATIC and ZSTATIC surrounding the STATIC object.  Oh well. =/  I should probably stop complaining about it .

Thanks again Jouni, it was the exact answer I was looking for.

0 Helpful

Go to solution
eddie.harmoush
Level 1
Level 1
In response to eddie.harmoush

‎03-19-2013 08:18 AM

It also appears the ordering only occurs when the object is initially created, and does not re-order when an object is renamed.  See below:

student-12(config)# clear configure object

student-12(config)#

student-12(config)# object network STATIC-host

student-12(config-network-object)#   host 1.1.1.50

student-12(config-network-object)#   nat (inside,outside) static 11.11.11.50

student-12(config-network-object)# object network ASTATIC-host

student-12(config-network-object)#   host 1.1.1.50

student-12(config-network-object)#   nat (inside,outside) static 11.11.11.50 service tcp 55 5050

student-12(config-network-object)# object network ZSTATIC-host

student-12(config-network-object)#   host 1.1.1.50

student-12(config-network-object)#   nat (inside,outside) static 11.11.11.50 service tcp 66 6060

!!! Created three AutoNAT statements to use as an example

student-12(config-network-object)# exit

student-12(config)# show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static ASTATIC-host 11.11.11.50   service tcp 55 5050

    translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source static STATIC-host 11.11.11.50

    translate_hits = 0, untranslate_hits = 0

3 (inside) to (outside) source static ZSTATIC-host 11.11.11.50   service tcp 66 6060

    translate_hits = 0, untranslate_hits = 0

student-12(config)#

!!! This is as expected, A comes before S which comes before Z.  Lets try renaming ZSTATIC-host to BSTATIC-host


student-12(config)# object network ZSTATIC-host rename BSTATIC-host

student-12(config)# show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static ASTATIC-host 11.11.11.50   service tcp 55 5050

    translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source static STATIC-host 11.11.11.50

    translate_hits = 0, untranslate_hits = 0

3 (inside) to (outside) source static BSTATIC-host 11.11.11.50   service tcp 66 6060

    translate_hits = 0, untranslate_hits = 0

student-12(config)#

!!! The NAT rules are not re-ordered

student-12(config)#

!!! Tried creating a new object to rebuild the NAT order.

student-12(config)# object network CSTATIC-host

student-12(config-network-object)# host 1.1.1.50

student-12(config-network-object)# nat (inside,outside) static 11.11.11.50 service tcp 77 7070

student-12(config-network-object)#  show nat

!!! But the "BSTATIC-host" object is still in the wrong place:

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static ASTATIC-host 11.11.11.50   service tcp 55 5050

    translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source static CSTATIC-host 11.11.11.50   service tcp 77 7070

    translate_hits = 0, untranslate_hits = 0

3 (inside) to (outside) source static STATIC-host 11.11.11.50

    translate_hits = 0, untranslate_hits = 0

4 (inside) to (outside) source static BSTATIC-host 11.11.11.50   service tcp 66 6060

    translate_hits = 0, untranslate_hits = 0

!!! Removed and re-created the BSTATIC-host object and NAT, and it is correctly sorted:

student-12(config-network-object)# no object network BSTATIC-host

student-12(config)# object network BSTATIC-host

student-12(config-network-object)# host 1.1.1.50

student-12(config-network-object)# nat (inside,outside) static 11.11.11.50 ser$

student-12(config-network-object)# exit

student-12(config)# show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static ASTATIC-host 11.11.11.50   service tcp 55 5050

    translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source static BSTATIC-host 11.11.11.50   service tcp 66 6060

    translate_hits = 0, untranslate_hits = 0

3 (inside) to (outside) source static CSTATIC-host 11.11.11.50   service tcp 77 7070

    translate_hits = 0, untranslate_hits = 0

4 (inside) to (outside) source static STATIC-host 11.11.11.50

    translate_hits = 0, untranslate_hits = 0

student-12(config)#

student-12(config)#

This doesn't seem sensicle, do you know if Cisco has any plans to tweak this?   I did more testing and none of these commands seemed to correclty re-order the list:

clear xlate

clear local-host

clear local-host all

Rebooting the device DID re-order the nat statements, so B was correctly following A.  But other than that, I didn't find a way to "fix" them.  Do you know of a way?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to eddie.harmoush

‎03-19-2013 08:45 AM

Hi,

I havent tested the effect of "object network rename " to the NAT ordering.

It would seem though that it work just like you have tested.

Wether this is an oversight from Cisco or a something meant to work like this I dont know. On the other hand thinking that renaming an object might change nat behaviours seems strange. Then again its specifically mentioned as a defining factor in ordering Section 2 NAT which would make it seem logical for the ASA to change the order when this change is made.

Might be something worth asking about directly from Cisco.

I don't know of a command that would help to "refresh" the NAT ordering. I guess the only option is just to reconfigure.

Doing a "no and "" under the object without removing the object seems to be the way to get it to reorder.

Good catch by the way Havent tested this myself before.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card