Cisco ASA 8.3 - NAT and Matching Global Statements
I have a Cisco ASA running 8.2 in routed mode.
The ASA has three interfaces, inside, outside and DMZ. They connect to the following three networks:
I have the following dynamic PAT configuration:
nat (inside) 1 10.1.1.0 255.255.255.0
global (outside) 126.96.36.199
nat control is turned off.
By my understanding any traffic from the inside to outside interface will be PATted to 188.8.131.52. However, communications between inside and the DMZ will not be PATted, and should work with no problems.
"When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group of addresses when they access any lower or same security level interface; you must apply a global command with the same NAT ID on each interface, or use a static command. NAT is not required for that group when it accesses a higher security interface because to perform NAT from outside to inside you must create a separate nat command using the outside keyword. If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected."
Bit sneaky to not add this as a caveat in the configuration guide.
My problem is that packet tracer does not seem to bear me out. It tells me the packet is dropped due to "no matching global" when I source traffic from the inside interface and send it to the DMZ.
Does anyone have any ideas as to why this is? It seems odd that you'd have to configure nat exemption to communicate to every single other interface just to facilitate PAT between one interface pair.
I understand what you mean, but consider a NAT statement that matches say a /25 of the connected subnet. What do you reckon would happen there?
Anyway, I have tested what I've mentioned in the edited section of my previous post and it's correct. If you decrease the security level of the interface the traffic originates from (inside in this case) and try to pass traffic to DMZ then packet tracer will still complain about "no matching global" but the traffic will pass.
Cisco really need to make the deal with security levels and PAT more visible on the command references instead of burying it in a configuration guide somewhere.
Listen: https://smarturl.it/CCRS8E47 Follow us: twitter.com/ciscochampions
Ransomware, fileless malware, and zero-day attacks continue to target organizations around the world. In response, organizations have resorted to deploying a variety of d...
This is a general information page for Cisco Threat Centric (TC-NAC) with ISE
Threat Centric Network Access Control (TC-NAC) feature enables you to create authorization policies based on the threat and vulnerability attributes received from the th...
The 2021 IT Blog Awards, hosted by Cisco, is now open for submissions. Submit your blog, vlog or podcast today. For more information, including category details, the process, past winners and FAQs, check out: https://www.cisco.com/c/en/us/t...
Cisco Secure Endpoint (formerly AMP for Endpoints) will decommission legacy cloud servers, which results in Legacy Windows Connector Versions 3.x/4.x and Mac Connector Version 1.0.x ceasing to ...
IntroductionRequirementsWhat problem does CSDAC solve?CSDAC ComponentsConfiguration CSDAC Login Connector AdaptersCSDAC WorkflowFMC Policy Configuration with Dynamic ObjectsUse Case: Blocking IP address using dynamic object without a policy push