Solved: Enable traffic through the firewall without the address translation

mahesh18 · ‎04-16-2013

Hi everyone,

On ASA ASDM under config,firewall NAT rules there is option at bottom

Enable traffic through the firewall without the address translation

Need to know what does it mean?

Does it mean that if user with private IP comes to ASA then ASA sees NAT rules did not change IP to global untill it goes out from outside interface?

Thanks

MAhesh

Jouni Forss · ‎04-16-2013

Hi Mahesh

The setting you are referring to is called "nat-control" in the CLI format.

If you have it enabled the ASA wont REQUIRE a connection to have a translation configured on the firewall for the connection attempt to pass. So lets say a connection comes to the ASA from a network that doesnt have any "nat" statement or "static" statement. The ASA will simply allow the connection through without NAT (Provided the connection passes the other checks the ASA does for it)

If you have it disabled the ASA WILL REQUIRE a translation/NAT configuration for each the IP address of the host that is trying to connect through the ASA. So if a connection comes to the ASA from a network that doesnt have a "nat" statement or "static" statement the ASA will simply deny the connection.

In other words this setting DOESNT determine any specific NAT configuration. It just tells the ASA should it let a connection get through if it doesnt have any NAT configured.

Usually I have left this setting enabled and I think its the default setting in the newer softwares of ASA.

- Jouni

View solution in original post

Jouni Forss · ‎04-16-2013

By the way,

If you plan on configuring the ASA through ASDM also I would suggest enabling the following setting on the ASDM

ASDM -> Tools -> Preferences -> Preview commands before sending them to the device - Check Box

Enabling this setting will show what CLI format commands the ASDM is going to send to the ASA. This will give you some idea what is actually changing on the ASA CLI configuration BEFORE you let the ASDM send the commands.

- Jouni

View solution in original post

Jouni Forss · ‎04-16-2013

Hi,

When the checkbox IS NOT CHECKED = The setting is DISABLED

It will mean that if there is no NAT configurations for the connection coming to the firewall the firewall will deny the connection. And yes I meant the "static" and "nat" configurations commands that are the only commands that define the source address/network for the NAT translations ("global" only defines the NAT IP address(es)

When the checkbox IS CHECKED = The setting is ENABLED

Then any connection can go through the firewall provided it doesnt hit some ACL or other limitation. But the connection CAN go through the firewall even it doesnt have any NAT configuration for the source address. Naturally in this situation when no NAT is done for the source address and the source host is connecting to the Internet for example, this would mean that the connection would go out with private IP address but naturally the connection would fail since it couldnt be routed through Internet. The key thing to notice is that the ASA wont deny connections on the basis of the NAT configurations.

The same NAT configuration commands "nat" and "static" naturally apply to this aswell. But as said, wether the ASA has those configurations for the source host the connection still goes through, with NAT or without NAT being done.

- Jouni

View solution in original post

Jouni Forss · ‎04-16-2013

Hi,

nat (Net) 0 access-list Net_nat0_outbound

The statement with the ACL is a NAT0 / NAT Exempt configuration

This means that the traffic specified with the ACL named "Net_nat0_outbound" is NOT NATED and will pass the firewall with their original IP address unchanged.

nat (Net) 1 0.0.0.0 0.0.0.0

The above NAT configuration basicly does NAT for any source address behind "Net" interface. The addresses will be translated to the IP address in the corresponding "global (outside) 1 interface" command or perhaps the same "global" comamand with some certain IP address configured instead of the "interface".

- Jouni

View solution in original post

Jouni Forss · ‎04-16-2013

Hi Mahesh

The setting you are referring to is called "nat-control" in the CLI format.

If you have it enabled the ASA wont REQUIRE a connection to have a translation configured on the firewall for the connection attempt to pass. So lets say a connection comes to the ASA from a network that doesnt have any "nat" statement or "static" statement. The ASA will simply allow the connection through without NAT (Provided the connection passes the other checks the ASA does for it)

If you have it disabled the ASA WILL REQUIRE a translation/NAT configuration for each the IP address of the host that is trying to connect through the ASA. So if a connection comes to the ASA from a network that doesnt have a "nat" statement or "static" statement the ASA will simply deny the connection.

In other words this setting DOESNT determine any specific NAT configuration. It just tells the ASA should it let a connection get through if it doesnt have any NAT configured.

Usually I have left this setting enabled and I think its the default setting in the newer softwares of ASA.

- Jouni

Jouni Forss · ‎04-16-2013

By the way,

If you plan on configuring the ASA through ASDM also I would suggest enabling the following setting on the ASDM

ASDM -> Tools -> Preferences -> Preview commands before sending them to the device - Check Box

Enabling this setting will show what CLI format commands the ASDM is going to send to the ASA. This will give you some idea what is actually changing on the ASA CLI configuration BEFORE you let the ASDM send the commands.

- Jouni

mahesh18 · ‎04-16-2013

Hi Jouni,

Preview command option i had that checked already.

For NAT control understanding when you say

If you have it disabled the ASA WILL REQUIRE a translation/NAT configuration for each the IP address of the host that is trying to connect through the ASA. So if a connection comes to the ASA from a network that doesnt have a "nat" statement or "static" statement the ASA will simply deny the connection.

Here when you say nat statement or static statement do you mean this statement

static (inside, outside)

nat (inside)

When you say

If you have it enabled the ASA wont REQUIRE a connection to have a translation configured on the firewall for the connection attempt to pass.

Does this mean nat statements like this

nat(inside) etc?

Thanks

MAhesh

Jouni Forss · ‎04-16-2013

Hi,

When the checkbox IS NOT CHECKED = The setting is DISABLED

It will mean that if there is no NAT configurations for the connection coming to the firewall the firewall will deny the connection. And yes I meant the "static" and "nat" configurations commands that are the only commands that define the source address/network for the NAT translations ("global" only defines the NAT IP address(es)

When the checkbox IS CHECKED = The setting is ENABLED

Then any connection can go through the firewall provided it doesnt hit some ACL or other limitation. But the connection CAN go through the firewall even it doesnt have any NAT configuration for the source address. Naturally in this situation when no NAT is done for the source address and the source host is connecting to the Internet for example, this would mean that the connection would go out with private IP address but naturally the connection would fail since it couldnt be routed through Internet. The key thing to notice is that the ASA wont deny connections on the basis of the NAT configurations.

The same NAT configuration commands "nat" and "static" naturally apply to this aswell. But as said, wether the ASA has those configurations for the source host the connection still goes through, with NAT or without NAT being done.

- Jouni

mahesh18 · ‎04-16-2013

Hi Jouni,

On ASA if option is enabled

and NAT config shows

nat (Net) 0 access-list Net_nat0_outbound

nat (Net) 1 0.0.0.0 0.0.0.0

I did sh xlate | include my PC ip it shows

sh xlate | include MP PC IP

PAT Global 217.x.x.x(54272) Local My PC IP(55477)

PAT Global 217.x.x.x(26306) Local MY PC IP(55476)

So we can say the ASA config has NAT statement configured right?

What does nat statement with acl mean ?

What does nat(Net) 1 0.0.0.0 0.0.0.0 mean?

Thanks

Mahesh

Message was edited by: mahesh parmar

Jouni Forss · ‎04-16-2013

Hi,

nat (Net) 0 access-list Net_nat0_outbound

The statement with the ACL is a NAT0 / NAT Exempt configuration

This means that the traffic specified with the ACL named "Net_nat0_outbound" is NOT NATED and will pass the firewall with their original IP address unchanged.

nat (Net) 1 0.0.0.0 0.0.0.0

The above NAT configuration basicly does NAT for any source address behind "Net" interface. The addresses will be translated to the IP address in the corresponding "global (outside) 1 interface" command or perhaps the same "global" comamand with some certain IP address configured instead of the "interface".

- Jouni

mahesh18 · ‎04-16-2013

Hi Jouni,

Thanks again for answering all the questions here.

now i need sometime to go through these concepts of ASA.

Best regards

Mahesh