cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
883
Views
5
Helpful
4
Replies

ASA NO NAT Configuration - 9.6(4)23

mbrandon32
Beginner
Beginner

We are in the process of implementing a NO NAT configuration on one of our firewalls and are running into an issue.

 

We have created an object-group for source IPs that will have the NO NAT configuration applied.

 

object-group network NO_NAT

 network-object host 1.1.1.1

 

We then created a network object that contains the destination - which would be internet based:

 

object network NO_NAT_DEST

 subnet 0.0.0.0 0.0.0.0

 

nat (inside,outside) source static NO_NAT NO_NAT destination static NO_NAT_DEST NO_NAT_DEST no-proxy-arp

 

All internet based traffic is routing as expected - no NAT applied. But when traffic destined for a private address routes through the firewall (DMZ destined), the traffic is routed the same as the internet based traffic. This looks to be because the subnet in the NO_NAT_DEST object matches the 0.0.0.0 0.0.0.0 default route.

 

My thinking is that we implement two separate NAT statements - one that contains an object-group that contains private networks as the destination and one that contains the 0.0.0.0 destination. Configure the NAT for the private destinations first - then configure the NAT for the 0.0.0.0 destination. That way the private destination NAT is processed first and routed accordingly but anything not destined for a private network will be processed by the 0.0.0.0 destination NAT.

 

Will this work as expected?

What would be the best way to implement this NO NAT configuration?

1 Accepted Solution

Accepted Solutions

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@mbrandon32 yes create the more specific no NAT rule first and/or do a route-lookup on the NAT rule.

 

Route lookup—(Routed mode only; interfaces specified.) Specify route-lookup to determine the egress interface using a route lookup instead of using the interface specified in the NAT command. See Determining the Egress Interface for more information.

View solution in original post

4 Replies 4

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@mbrandon32 yes create the more specific no NAT rule first and/or do a route-lookup on the NAT rule.

 

Route lookup—(Routed mode only; interfaces specified.) Specify route-lookup to determine the egress interface using a route lookup instead of using the interface specified in the NAT command. See Determining the Egress Interface for more information.

@Rob Ingram I missed the route-lookup configuration. Looking into route-lookup in more detail, we should just be able to configure the following:

 

nat (inside,outside) source static NO_NAT NO_NAT route-lookup

 

Correct?

nat (inside,outside) source static NO_NAT NO_NAT route-lookup did the trick. Thanks!

MHM Cisco World
Advisor
Advisor

config another NO NAT and make it above this NAT by add "1" , and the issue is solve OR config after-auto in NAT which push this NO NAT "0.0.0.0" down to list of NAT.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers