10-28-2013 11:27 PM - edited 03-11-2019 07:57 PM
Hello,
I have a question concerning twice NAT.
Lets assume that we have the following construction:
nat (Inside,Outside) source dynamic Real.Source Translated.Source destination static Real.Destination object network Translated.Destination
My question is how ASA does routing lookups.
When ASA has no route to Translated.Destination and has route to Real.Destination I have route lookup fail error.
When ASA has no route to Real.Destination and has a route to Translated.Destination the translation does work. But how does ASA know that the packet before translation matches (inside,outside) direction if it doesn't have a route to the Real.Destination?
Seems like ASA just looks if a packet matches Real.Source and Real.Destination in a NAT rule, then makes translation and after that routing lookup.
Please let me know if there is any additional information on this topic available.
Thank you.
Solved! Go to Solution.
10-29-2013 01:15 AM
Hi,
The correct format for the NAT configuration would be
nat (sourceint,destinationint) source dynamic
In your above example you have the destination address the wrong way around. You can check this with the question mark "?" when your at that point of the command.
For example
ASA(config)# nat (LAN,WAN) source dynamic REAL MAPPED destination static ?
configure mode commands/options:
WORD Specify object or object-group name for mapped destination
interface Specify interface overload
I am afraid that the whole subject about Routing and using the NAT to determine the egress interface is also still a bit confusing especially because of the different behaviour we see depending on the software. Some of the operation seems to me to be undocumented and some just described wrong in the document or I just dont understand the logic behind them. ( I even checked one of the latest 9.x documents)
But if you are running some latest software level of 8.4(x) or a 9.x series software the following will probably apply to you situation.
Example:
I have a "nat" configuration that Identity NAT for all the destination addresses for a single LAN host towards the WLAN interface. When I try connections to any destination address with the help of "packet-tracer" command I see the above happening
nat (LAN,WLAN) source static HOST HOST destination static ALL ALL
ASA(config)# packet-tracer input LAN tcp 10.0.0.200 12345 1.1.1.1 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WLAN) source static HOST HOST destination static ALL ALL
Additional Information:
NAT divert to egress interface WLAN
Untranslate 1.1.1.1/80 to 1.1.1.1/80
So as you can see there is no route lookup for this connection. The connections destination address matches the NAT rule and gets diverted because of the configuration.
Then I add the same "nat" configuration with "route-lookup" configuration (Can only be used with Identity NAT) and then we see a route lookup happen.
nat (LAN,WLAN) source static HOST HOST destination static ALL ALL route-lookup
ASA(config)# packet-tracer input LAN tcp 10.0.0.200 12345 1.1.1.1 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 WAN
So as we can see since the destination address of our "packet-tracer" didnt match the "nat" configuration after the route lookup then the "nat" configuration will not be applied and this connection would be forwarded out of my "WAN" interface with one of my basic Dynamic PAT configurations.
With other NAT types other than Identity NAT you wont be able to use the "route-lookup" parameter. Though it seems that in the newer software levels the "destination static" portion of the "nat" configuration will have to ability to choose the egress interface of any connection while this was not true in the older softwares.
All the above might be confusing and I am not sure if I can still explain it correctly myself.
I have written a NAT document here on the Cisco Support Community that you can find here
https://supportforums.cisco.com/docs/DOC-31116
Though it still a work in progress and only contains some basic information. Topics such as this is something that would require a lot more time for me to go through. There is still a lot of content that should end up into that document but it all depends on when I get the time and motivation to work on it. Considering my current situation at work it might be hard to get anything done for atleast couple of months.
Hope this helps
- Jouni
10-29-2013 05:12 AM
Hi,
To my understanding you will only need to have a route for the real destination IP address.
The traffic flow and NAT can be pretty confusing at times and I don't always get then right.
When you have mapped the destionation network what essentially happens is
Most of the time when your building special NAT configurations towards your "outside" interface you wont really have to worry about the routing as this interface probably already holds the default route. In cases where the destination interface is something else you will probably have to resort to adding a route.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more though
- Jouni
10-29-2013 01:15 AM
Hi,
The correct format for the NAT configuration would be
nat (sourceint,destinationint) source dynamic
In your above example you have the destination address the wrong way around. You can check this with the question mark "?" when your at that point of the command.
For example
ASA(config)# nat (LAN,WAN) source dynamic REAL MAPPED destination static ?
configure mode commands/options:
WORD Specify object or object-group name for mapped destination
interface Specify interface overload
I am afraid that the whole subject about Routing and using the NAT to determine the egress interface is also still a bit confusing especially because of the different behaviour we see depending on the software. Some of the operation seems to me to be undocumented and some just described wrong in the document or I just dont understand the logic behind them. ( I even checked one of the latest 9.x documents)
But if you are running some latest software level of 8.4(x) or a 9.x series software the following will probably apply to you situation.
Example:
I have a "nat" configuration that Identity NAT for all the destination addresses for a single LAN host towards the WLAN interface. When I try connections to any destination address with the help of "packet-tracer" command I see the above happening
nat (LAN,WLAN) source static HOST HOST destination static ALL ALL
ASA(config)# packet-tracer input LAN tcp 10.0.0.200 12345 1.1.1.1 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WLAN) source static HOST HOST destination static ALL ALL
Additional Information:
NAT divert to egress interface WLAN
Untranslate 1.1.1.1/80 to 1.1.1.1/80
So as you can see there is no route lookup for this connection. The connections destination address matches the NAT rule and gets diverted because of the configuration.
Then I add the same "nat" configuration with "route-lookup" configuration (Can only be used with Identity NAT) and then we see a route lookup happen.
nat (LAN,WLAN) source static HOST HOST destination static ALL ALL route-lookup
ASA(config)# packet-tracer input LAN tcp 10.0.0.200 12345 1.1.1.1 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 WAN
So as we can see since the destination address of our "packet-tracer" didnt match the "nat" configuration after the route lookup then the "nat" configuration will not be applied and this connection would be forwarded out of my "WAN" interface with one of my basic Dynamic PAT configurations.
With other NAT types other than Identity NAT you wont be able to use the "route-lookup" parameter. Though it seems that in the newer software levels the "destination static" portion of the "nat" configuration will have to ability to choose the egress interface of any connection while this was not true in the older softwares.
All the above might be confusing and I am not sure if I can still explain it correctly myself.
I have written a NAT document here on the Cisco Support Community that you can find here
https://supportforums.cisco.com/docs/DOC-31116
Though it still a work in progress and only contains some basic information. Topics such as this is something that would require a lot more time for me to go through. There is still a lot of content that should end up into that document but it all depends on when I get the time and motivation to work on it. Considering my current situation at work it might be hard to get anything done for atleast couple of months.
Hope this helps
- Jouni
10-29-2013 05:03 AM
Hi Jouni,
First of all let me thank you for such a detailed answer.
NAT statement is indeed:
nat (sourceint,destinationint) source dynamic
In my opinion those destinations are confusing.
I read it this way: if a packet goes from
For a incoming packet that
So if I have a packet coming from inside:
Source :1.1.1.1; Destination:2.2.2.2
and I want it to be translated and forwarded to outside with:Source: 1.1.1.2; Destination:2.2.2.3
Then I must have a route only to 2.2.2.3 pointing outside?
Thanks again.
10-29-2013 05:12 AM
Hi,
To my understanding you will only need to have a route for the real destination IP address.
The traffic flow and NAT can be pretty confusing at times and I don't always get then right.
When you have mapped the destionation network what essentially happens is
Most of the time when your building special NAT configurations towards your "outside" interface you wont really have to worry about the routing as this interface probably already holds the default route. In cases where the destination interface is something else you will probably have to resort to adding a route.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more though
- Jouni
10-29-2013 06:31 AM
Hi Jouni,
I've built this in GNS3, with minimal routing configured
objects:
real.source
192.168.1.1
mapped.source
7.7.7.7
mapped.destination
1.1.1.1
2.2.2.2
3.3.3.3
real.destination
10.10.1.1
10.20.1.1
10.30.1.1
nat (inside,outside) source dynamic real.source mapped.source destination static mapped.destination real.destination
It does require routes for real.destination hosts only.
No routes for mapped.destination hosts are required.
That's completely different from IOS Routers
I think that's enough of NAT'ing investigations for me
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide