Auto nat vs manual nat

Matt Roberts · ‎03-19-2013

Some how I have ended up with multiple network objects for the same network example

obj-192.168.1.0

obj-192.168.1.0-1

obj-192.168.1.0-2

All are for the same network but have different nat statements. When I look at my NAT statements I have a bunch of manual NAT and Network object NAT rules. I'm pretty confussed on the two. Should I just have one auto nat statement for each object? Then if I need another NAT statement for the same network make it a manual nat?

Jouni Forss · ‎03-19-2013

Hi,

I would have been interested to know what exact NAT configurations all those objects hold?

To be honest in a very basic setup I have NO Object Network NAT configurations for whole networks (Only for single hosts Static NAT/PAT configurations)

For example, the very basic NAT configurations

Default PAT for Internet Traffic

object-group network DEFAULT-PAT-SOURCE

network-object 192.168.1.0 255.255.255.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Static NAT for single host

object network STATIC

host 192.168.1.10

nat (inside,outside) static 1.1.1.1

NAT0 / NAT Exemption / Identity NAT for L2L VPN connection or VPN Client

object network LAN

subnet 192.168.1.0 255.255.255.0

object network REMOTE-LAN

subnet 192.168.100.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

Could say much more if I saw the NAT configurations and the corresponding address information under the objects.

- Jouni

Matt Roberts · ‎03-19-2013

I have a lot like this

object network obj-172.16.0.0-04

subnet 172.16.0.0 255.254.0.0

object network obj-172.16.0.0-04

nat (inside,GC) static 172.16.0.0

object network obj-172.16.0.0-05

subnet 172.16.0.0 255.254.0.0

object network obj-172.16.0.0-05

nat (inside,TM) static 172.16.0.0

So when I look at my network objects I have a several like each have an auto nat with the object. What is best practice?

obj-172.16.0.0-01

obj-172.16.0.0-02

obj-172.16.0.0-03

obj-172.16.0.0-04

Jouni Forss · ‎03-19-2013

Would I be correct to presume you have updated/upgraded the ASA software from pre 8.3 to post 8.3 by letting the ASA convert the configuration by itself and not actual write the configurations yourself?

If that is true then it would seem to me that these configurations might be the 8.3 (and later) softwares way of doing Identity NAT between your local ASA interfaces. (Which can also be done with Twice NAT / Manual NAT)

I would for example guess that the following configuration

object network obj-172.16.0.0-05

subnet 172.16.0.0 255.254.0.0

nat (inside,TM) static 172.16.0.0

Before was this

static (inside,TM) 172.16.0.0 172.16.0.0 netmask 255.254.0.0

In the new software 8.3+ if you have local LAN and DMZ interfaces on the ASA which dont require NAT between them, you can simply leave out the NAT configurations. So if your purpose is to enable communication between local interfaces wihtout modifying the source or destination address then I would leave out all those NAT configurations.

In the very basic setups you only really need to perform NAT between the local and public interfaces. The new ASA software doesnt have any "nat-control" anymore. If there is no NAT rule for the traffic incoming to the ASA then the ASA will simply pass it along without NAT.

- Jouni

Matt Roberts · ‎03-19-2013

Yep I have upgraded from pre 8.3. I always wondered why I needed all these nat statments, guess I don't need all of them anymore. Good news thanks!