Solved: ASA 9.1 NAT as Object Sub-command Vs. Standalone NAT Command

Ali Razavi · ‎07-29-2014

Hey guys,

I'm configuring a couple of new 5515X ASAs.

Are there any major differences between the following two NAT syntax methods? They both seem to work in a lab environment. I only find the first method mentioned in Cisco documentation for performing static one-to-one NAT, however.

Method 1:

object network Test-DMZ-Server_EXT
host 172.25.1.2
object network LOCAL-RANGE_EXT
host 172.17.1.2

object network LOCAL-RANGE
host 192.168.10.2
nat (inside,outside) static LOCAL-RANGE_EXT
object network Test-DMZ-Server
host 192.168.199.2
nat (DMZ,any) static Test-DMZ-Server_EXT
object network ANY
subnet 0.0.0.0 0.0.0.0
nat (any,outside) dynamic interface

Method 2:

object network LOCAL-RANGE
host 192.168.10.2
object network Test-DMZ-Server
host 192.168.199.2
object network Test-DMZ-Server_EXT
host 172.25.1.2
object network LOCAL-RANGE_EXT
host 172.17.1.2

nat (DMZ,any) source static Test-DMZ-Server Test-DMZ-Server_EXT
nat (insdie,outside) static source LOCAL-RANGE LOCAL-RANGE_EXT

nat (any,outside) source dynamic any interface

Thanks

Jouni Forss · ‎07-29-2014

Hi,

Both of the configuration formats can achieve the same thing.

The first one is Auto NAT / Network Object NAT where the user configures the whole "nat" configuration under the created "object". Typically this configuration format is used to configure Dynamic PAT , Static NAT and Static PAT atleast.

The second configuration is Twice NAT / Manual NAT which uses different "object" and "object-group" configurations to list the real/mapped addresses in the NAT configurations. This "nat" configuration is not located under any objects but rather uses them. Typically this configuration format is used to configure NAT0 or Policy type NAT configurations.

While both configuration achieve the same thing there is one big difference between them. In the new NAT configuration format that was introduced in 8.3 onwards the NAT configurations are divided into 3 Sections which defines their priority in the "nat" configurations

They go the following way

Section 1 = Manual NAT / Twice NAT
Section 2 = Auto NAT / Network Object NAT
Section 3 = Manual NAT / Twice NAT
- an additional "after-auto" parameter is required to move this configuration to Section 3

So depending on which format you use you might end up overriding some other configuration by inserting the configuration to Section 1 (which you do by using the Manual NAT / Twice NAT configuration format). Though I would say this becomes a problem only in certain situations in simple firewall setups. I'd say the most common problem here on the forums is usually when a user has configured a Dynamic PAT in Section 1 and Static PAT (Port Forward) in Section 2 and uses the same public IP address as the PAT address in both. This creates a situation where all the traffic from external networks matches the Dynamic PAT configuration in the Section 1 rather than any Static PAT configuration in Section 2.

One other big difference between Auto NAT and Manual NAT is the fact that Auto NAT only does translation for the source address (might seem wierd depending on which side you are looking the situation from) while Manual NAT can perform translation for both the source and the destination IP address. But as you are configuring Static NAT this does not really matter. Both NAT formats can achieve the same thing.

In the end nothing is for example stopping you simply from just using Section 1 Manual NAT if you wanted. You could configure any type of NAT you wanted on this section alone and would not have to use Auto NAT at all if that was your wish. But I would say this is not suggestable and even less so if you have a large NAT configuration.

My personal suggestion in short is the following

Section 1 = Use for NAT0 and Static/Dynamic Policy NAT type configurations as these configurations are usually meant to override any typical NAT configurations.
Section 2 = Use for Static NAT and Static PAT as this provides the most simple configuration format for the mentioned configurations and they are still high enough in priority being in Section 2. Manual NAT configuration would require multiple "object" configurations to achieve the same.
Section 3 = Place all your Dynamic NAT/PAT or NAT+PAT configurations here as these should be the last NAT connection should match anyway when there is nothing specific meant for the hosts.

I find that with the above way you both keep your NAT configuration sectioned clearly and know whats where. The configuration is also a bit less cluttered when all configurations are not in the same Section.

If you want to read up some more on the new NAT configuration format you can check a document I wrote here in 2013. Though it contains the things I mentioned above also.

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

You can naturally ask more here in this discussion if you want :)

Please do remember to mark a reply as the correct answer if it answered your question.

Hope this helps :)

- Jouni

View solution in original post

Jouni Forss · ‎07-29-2014

Hi,

Both of the configuration formats can achieve the same thing.

The first one is Auto NAT / Network Object NAT where the user configures the whole "nat" configuration under the created "object". Typically this configuration format is used to configure Dynamic PAT , Static NAT and Static PAT atleast.

The second configuration is Twice NAT / Manual NAT which uses different "object" and "object-group" configurations to list the real/mapped addresses in the NAT configurations. This "nat" configuration is not located under any objects but rather uses them. Typically this configuration format is used to configure NAT0 or Policy type NAT configurations.

While both configuration achieve the same thing there is one big difference between them. In the new NAT configuration format that was introduced in 8.3 onwards the NAT configurations are divided into 3 Sections which defines their priority in the "nat" configurations

They go the following way

Section 1 = Manual NAT / Twice NAT
Section 2 = Auto NAT / Network Object NAT
Section 3 = Manual NAT / Twice NAT
- an additional "after-auto" parameter is required to move this configuration to Section 3

So depending on which format you use you might end up overriding some other configuration by inserting the configuration to Section 1 (which you do by using the Manual NAT / Twice NAT configuration format). Though I would say this becomes a problem only in certain situations in simple firewall setups. I'd say the most common problem here on the forums is usually when a user has configured a Dynamic PAT in Section 1 and Static PAT (Port Forward) in Section 2 and uses the same public IP address as the PAT address in both. This creates a situation where all the traffic from external networks matches the Dynamic PAT configuration in the Section 1 rather than any Static PAT configuration in Section 2.

One other big difference between Auto NAT and Manual NAT is the fact that Auto NAT only does translation for the source address (might seem wierd depending on which side you are looking the situation from) while Manual NAT can perform translation for both the source and the destination IP address. But as you are configuring Static NAT this does not really matter. Both NAT formats can achieve the same thing.

In the end nothing is for example stopping you simply from just using Section 1 Manual NAT if you wanted. You could configure any type of NAT you wanted on this section alone and would not have to use Auto NAT at all if that was your wish. But I would say this is not suggestable and even less so if you have a large NAT configuration.

My personal suggestion in short is the following

Section 1 = Use for NAT0 and Static/Dynamic Policy NAT type configurations as these configurations are usually meant to override any typical NAT configurations.
Section 2 = Use for Static NAT and Static PAT as this provides the most simple configuration format for the mentioned configurations and they are still high enough in priority being in Section 2. Manual NAT configuration would require multiple "object" configurations to achieve the same.
Section 3 = Place all your Dynamic NAT/PAT or NAT+PAT configurations here as these should be the last NAT connection should match anyway when there is nothing specific meant for the hosts.

I find that with the above way you both keep your NAT configuration sectioned clearly and know whats where. The configuration is also a bit less cluttered when all configurations are not in the same Section.

If you want to read up some more on the new NAT configuration format you can check a document I wrote here in 2013. Though it contains the things I mentioned above also.

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

You can naturally ask more here in this discussion if you want :)

Please do remember to mark a reply as the correct answer if it answered your question.

Hope this helps :)

- Jouni

Ali Razavi · ‎07-30-2014

That's tremendous help Jouni, thank you.

So then if I use Manual NAT, then it will take precedence before any auto dynamic PAT configurations?

All of our NAT configurations are going to be static NAT using unique IPs and a dynamic PAT using a completely separate pool of IP address. The only reason I'm leaning toward the Manual NAT configuration is for management and analysis purposes. These are very large firewall configurations and we are going to have lots of objects, so when looking at the configuration for troubleshooting on the CLI, it becomes very cumbersome to look at all of the objects' IP configurations in one section and then the same objects' NAT configurations in another section, while the Manual NAT simply lists all configurations neatly.

Jouni Forss · ‎07-30-2014

Hi,

Yes, if you have a Static NAT configured for example as a Manual NAT (which defaults to Section 1 UNLESS you add the "after-auto" parameter) then it will override any Auto NAT (Section 2) configuration. Though also if you have a Dynamic PAT and Static NAT configured for the same source host with Auto NAT the Static NAT will be prefered. ASA should order the NAT configuration automatically for Section 2 (Auto NAT). You can check the order with the command "show nat"

I do agree with you with the point that the Auto NAT configurations are a lot more annoying/harder to view through the CLI as the "show run nat" command does not include the "host/subnet/range" included under the "object" in question. Though for me it was still preferable than configuring "object" for each IP address and port I might want to include in my Static NAT/PAT configurations.

If you use the command "show nat" and "show nat detail" can you see IP addresses with a single command but the "show nat detail" really makes my head hurt as its output is not the most user friendly either.

Though I have still gone with the Auto NAT for any Static NAT/PAT configurations for the simple reason of not having so many NAT configurations in a single Section (If I did all in Section 3 for example) or having to create too many "object" and "object-group". The largest NAT environments we have do have around 300-500 Static NATs in a single firewall. I have accepted that I have to do a lot of "show run object id <object name>" and "show run | begin <object name>" when checking for the actual configurations.

I am not sure when I will go through the document I mentioned but I was originally meaning to involve a lot more information on how to troubleshoot and view information through the CLI as I only use CLI myself for NAT configuration purposes.

It seems to me that there probably is no direct command to list an Auto NAT configuration neatly but if you are just interested in the actual information (in some form) then for example the following command would list information easily for Static NAT

show nat translated <mapped ip> detail

It lists the interfaces, type of NAT, the "object" name, etc

I guess the reverse for this would be

show nat <local ip> detail

- Jouni

Ali Razavi · ‎07-30-2014

I just confirmed it Jouni, when configuring Manual NAT/PAT and then following it with the Manual static NAT configuration, inbound access to the statically mapped service is not established:

nat (any,outside) source dynamic any interface
nat (DMZ,any) source static Test-Server_DMZ Test-Server_EXT

Inbound access to the Test-Server cannot be established as it matches the 'any' subnet in the first PAT statement. When removing the global PAT and then re-adding thereby changing the order of the NAT statements as follows:

nat (DMZ,any) source static Test-Server_DMZ Test-Server_EXT
nat (any,outside) source dynamic any interface

Now, there is inbound access to the Test-Server and general traffic from other servers are still PATed out using the global PAT statement.

Great article by the way.

Thanks,
Reza

nkarthikeyan · ‎07-30-2014

Hi Ali,

Good finding!!!!

Yeah, both the methods will give the same result..... the syntax which you have used for the method 2 can be used extensively for No-nat , When you have destination based NAT, ACL based NAT - Equivalent method in new version.... rule based nat etc....

Regards

Karthik