Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5574
Views
5
Helpful
4
Replies

ASA NO NAT Configuration - 9.6(4)23

Go to solution
mbrandon32
Level 1
Level 1

‎04-19-2022 09:42 AM - edited ‎04-19-2022 05:48 PM

We are in the process of implementing a NO NAT configuration on one of our firewalls and are running into an issue.

 

We have created an object-group for source IPs that will have the NO NAT configuration applied.

 

object-group network NO_NAT

 network-object host 1.1.1.1

 

We then created a network object that contains the destination - which would be internet based:

 

object network NO_NAT_DEST

 subnet 0.0.0.0 0.0.0.0

 

nat (inside,outside) source static NO_NAT NO_NAT destination static NO_NAT_DEST NO_NAT_DEST no-proxy-arp

 

All internet based traffic is routing as expected - no NAT applied. But when traffic destined for a private address routes through the firewall (DMZ destined), the traffic is routed the same as the internet based traffic. This looks to be because the subnet in the NO_NAT_DEST object matches the 0.0.0.0 0.0.0.0 default route.

 

My thinking is that we implement two separate NAT statements - one that contains an object-group that contains private networks as the destination and one that contains the 0.0.0.0 destination. Configure the NAT for the private destinations first - then configure the NAT for the 0.0.0.0 destination. That way the private destination NAT is processed first and routed accordingly but anything not destined for a private network will be processed by the 0.0.0.0 destination NAT.

 

Will this work as expected?

What would be the best way to implement this NO NAT configuration?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-19-2022 10:04 AM - edited ‎04-19-2022 10:06 AM

@mbrandon32 yes create the more specific no NAT rule first and/or do a route-lookup on the NAT rule.

 

Route lookup—(Routed mode only; interfaces specified.) Specify route-lookup to determine the egress interface using a route lookup instead of using the interface specified in the NAT command. See Determining the Egress Interface for more information.

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎04-19-2022 10:04 AM - edited ‎04-19-2022 10:06 AM

@mbrandon32 yes create the more specific no NAT rule first and/or do a route-lookup on the NAT rule.

 

Route lookup—(Routed mode only; interfaces specified.) Specify route-lookup to determine the egress interface using a route lookup instead of using the interface specified in the NAT command. See Determining the Egress Interface for more information.

Go to solution
mbrandon32
Level 1
Level 1
In response to Rob Ingram

‎04-19-2022 11:54 AM

@Rob Ingram I missed the route-lookup configuration. Looking into route-lookup in more detail, we should just be able to configure the following:

 

nat (inside,outside) source static NO_NAT NO_NAT route-lookup

 

Correct?

0 Helpful

Go to solution
mbrandon32
Level 1
Level 1
In response to mbrandon32

‎04-19-2022 06:38 PM

nat (inside,outside) source static NO_NAT NO_NAT route-lookup did the trick. Thanks!

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎04-19-2022 11:31 AM - edited ‎04-19-2022 12:03 PM

config another NO NAT and make it above this NAT by add "1" , and the issue is solve OR config after-auto in NAT which push this NO NAT "0.0.0.0" down to list of NAT.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card