Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
0
Helpful
3
Replies

Default Translation Behavior on ASA Firewall

benweber
Level 1
Level 1

‎05-26-2016 12:35 PM - edited ‎03-12-2019 12:48 AM

I’m wondering if anyone can help me better understand the default NAT behavior on ASAs running 9.2 codes (specifically 9.2(4)10 in this case).

I’m in the process of re-writing the config on an ASA that’s in transparent mode, going to routed mode. So I will be identity NAT’ing a couple of public IP ranges (using 210.180.160.0/24 for this example, though that’s made up).

Normally I would just identity NAT that 210.180.160.0/24 range to itself since I'm running public IPs internal to the network. I came of age in the Pix era so that’s what I’m used to doing. But I know that with the current ASA codes if I don’t enter any NAT statements at all (auto NAT or manual NAT) that the ASA essentially identity NAT’s that address space automatically, allowing traffic through as long as it is permitted by ACL.

I’m trying to weigh any pros and cons of just letting the ASA do this automatically. The main con being that I know I can break this behavior by accidentally doing something like overloading the outside interface dynamically. (Risky on a production firewall.)

I’ve noticed that if I do my identity NAT statement that that the subnet-to-subnet translation shows up in the NAT table as I would expect. However, if I don’t do any NAT statements and do a “show xlate” command I don’t see anything. So on the one hand it looks to me like in the absence of any NAT statements the ASA is automatically identity NAT’ing the traffic. But since that traffic doesn’t show up in the translation tables it almost begs the question of whether the ASA is routing it instead of translating it.

I would point out that I’m used to firewalls doing both NAT and stateful firewalling functions, yet those two functions are technically separate. It’s possible to statefully inspect routed traffic that’s not translated.

Does anyone know the answer to that? In the absence of NAT statements is the ASA still translating the traffic? Or is it routing it without translating it?

Thanks!

Ben

Labels:
0 Helpful
3 Replies 3

Paul Chapman
Level 4
Level 4

‎05-26-2016 01:28 PM

Hi Ben -

Unless you're abandoning the direct public IP assignments on your servers to migrate to RFC1918 addresses, I wouldn't worry about NAT.  Specifically, the concept of NAT control was removed in ASA version 8.3.  You can use your ASA as a router with no NAT statements at all and just apply policy through normal access lists.

My $.02.

Hope that helps.

PSC

0 Helpful

benweber
Level 1
Level 1
In response to Paul Chapman

‎05-27-2016 06:29 AM

Thanks Paul,

Does that mean that the ASA can now truly route?  As in act like a router doing stateful packet inspection without translating?  I'm trying to get clarity on that because that's new behavior and I can't find it in the documentation anywhere.

0 Helpful

Paul Chapman
Level 4
Level 4
In response to benweber

‎05-27-2016 09:04 AM

Hi Ben -

That is correct.  At a very simple level, this would be a functional firewall configuration:

int Gi0/0
 nameif outside
 security-level 0
 ip address 198.18.22.34 255.255.255.252
int Gi0/1
 nameif inside
 security-level 100
 ip address 210.180.160.1 255.255.255.0
!
access-list outside_in extended permit tcp any host 210.180.160.44 eq 80
!
access-group outside_in in interface outside
!
ip route 0.0.0.0 0.0.0.0 198.18.22.33

This assumes that the upstream router has a route for 210.180.160.0/24 pointed at the outside interface.

PSC

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card