03-02-2013 12:52 PM - edited 03-11-2019 06:08 PM
ASA 5505 Version 8.2 or older
nat (inside) 1 10.0.0.0 255.255.255.0
nat (INTF4) 1 10.0.4.0 255.255.255.0
nat (INTF5) 1 10.0.5.0 255.255.255.0
nat (INTF6) 1 10.0.6.0 255.255.255.0
nat (INTF7) 1 10.0.7.0 255.255.255.0
global (outside) 1 209.165.200.235-209.165.200.254 netmask 255.255.255.224
global (outside) 1 interface
I believe this setup does the following. The inside interface and interfaces 4,5,6,and 7 will translate using this line....
global (outside) 1 209.165.200.235-209.165.200.254 netmask 255.255.255.224
and if the addresses run out is will start using the ouside interface IP address to translate, so traffic is not disrupted and is based on the line of configuration.....
global (outside) 1 interface
Please correct me if I am wrong.
My question, does it do this because of the order of the configuration..
global (outside) 1 209.165.200.235-209.165.200.254 netmask 255.255.255.224
global (outside) 1 interface
or would it do it that way even if it was like this?
global (outside) 1 interface
global (outside) 1 209.165.200.235-209.165.200.254 netmask 255.255.255.224
and if so why?
Now let's convert the above configuration to ASA 5505 Version 8.3 or newer.
object network OUTSIDE-NAT-POOL
range 209.165.200.235 209.165.200.254
object network INTERNAL-SEGMENTS
subnet 10.0.0.0 255.255.248.0
nat (any,outside) dynamic OUTSIDE-NAT-POOL interface
My question is how does it know to use the outside interface as a backup when the OUTSIDE-NAT-POOL is depleted?
Also why do I need to define the INTERNAL-SEGMENTS ? Doesn't the "any" in the (any,outside) take care of that?
Also wouldn't the "any" in (any,outside) cover interface 3 or DMZ which could be an issue?
Thanks for you help,
Mike
Solved! Go to Solution.
03-02-2013 01:43 PM
Hi,
The configuration guide for 8.2 software would lead to believe that the order of those 2 "global" lines has no effect on how the "global" configurations are used. Which leads me to believe this is just how the ASA handles when it has both a single IP address and range of IP address with the same ID number in the configurations.
This is how the 8.2 Configuration Guide instructs to configure the NAT Pool + PAT you mention
To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is
exhausted, enter the following commands:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.5
hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20
Notice that the actual configuration guide has the PAT address defined first before the actual range of IP address.
It also mentions the following
You can enter multiple global commands for one interface using the same NAT ID; the ASA uses the
dynamic NAT global commands first, in the order they are in the configuration, and then it uses the PAT
global commands in order. You might want to enter both a dynamic NAT global command and a PAT
global command if you need to use dynamic NAT for a particular application, but you should have a
backup PAT statement in case all the dynamic NAT addresses are depleted. Similarly, you might enter
two PAT statements if you need more than the approximately 64,000 PAT sessions that a single PAT
mapped statement supports
Which I interpret in the following way
Now related to the new 8.3 (and after) format
This is how I configure the NAT Pool + PAT
object-group network SOURCE-NETWORKS
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
object network PAT-ADDRESS
host 1.1.1.1
object network NAT-POOL
range 1.1.1.2 1.1.1.253
object-group network NAT-POOL+PAT
network-object object NAT-POOL
network-object object PAT-ADDRESS
nat (any,WAN) after-auto source dynamic SOURCE-NETWORKS NAT-POOL+PAT
Though you could naturally have the "interface" keyword in use here but since I was testing with a "dummy" NAT Pool + PAT I didnt use my own ASAs "WAN" interface IP address.
I would imagine even though the NAT+PAT format is different it still handles the ordering of the NAT IP addresses used in the same way. Which would be NAT Pool before PAT.
Now to the question about how does the ASA know to use the "outside" interface IP address as the PAT fallback address when the NAT Pool has run out. I would have to again guess that this has to do with the same thing mentioned above for the older software. The ASA is just simply setup to use the NAT Pool first then use the interface IP address as the PAT translation fallback. I dont think even the Cisco material gives really specific information on how the NAT operates while it does have alot of information. Sometimes I do find things that I had no idea about and thats partly the reason I am on these forums also. Never know when you run into something new which you can use yourself.
On the question why does the ASA still need source addresses specified when the interface is already set as "any". I again imagine this is just how the NAT is set up to work.
Notice that when you are using Network Object NAT like you are in your above example, the "object network" always defines the source address.
Even if you were to configure Manual NAT / Twice NAT (or whatever the correct term is nowadays) then the device would still force you to specify the source network. (Even if it was just "any")
For example it could be something like this
nat (any,WAN) after-auto source dynamic any NAT-POOL interface
Where we have
Dont know if there answer any of your questions to the degree you would want. To be honest I wanted to check some things out myself and might as well write it up here too.
- Jouni
03-02-2013 02:11 PM
Hi,
nat (any,WAN) after-auto source dynamic any NAT-POOL interface
Where
I do still find myself learning new things about the new NAT format so I am kind of hesitant on giving advice and being 100% on it. Though thats just how I am.
I was personally just coming to the point with 8.2 software NAT that I though I knew every trick needed and then 8.3 came and it was partly learning everything again.
Then I started writing on the CSC and noticed I didnt knew everything even about 8.2.
- Jouni
03-02-2013 02:24 PM
Hi,
I would suggest getting the Configuration Guide PDF file for your ASA software and checking the NAT section. It for example gives clarification to the order in which NAT rules are processed.
Heres a direct link to the portion that handles the NAT Section 1 - 3 that in the new software (8.4 and 8.6) defines the NAT order
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1118157
I've also found the "packet-tracer" command very helpfull in determining how the NAT works and it has helped me learn the new NAT format.
Though naturally if you dont have a spare device its kinda hard to test configurations.
- Jouni
03-02-2013 01:43 PM
Hi,
The configuration guide for 8.2 software would lead to believe that the order of those 2 "global" lines has no effect on how the "global" configurations are used. Which leads me to believe this is just how the ASA handles when it has both a single IP address and range of IP address with the same ID number in the configurations.
This is how the 8.2 Configuration Guide instructs to configure the NAT Pool + PAT you mention
To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is
exhausted, enter the following commands:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.5
hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20
Notice that the actual configuration guide has the PAT address defined first before the actual range of IP address.
It also mentions the following
You can enter multiple global commands for one interface using the same NAT ID; the ASA uses the
dynamic NAT global commands first, in the order they are in the configuration, and then it uses the PAT
global commands in order. You might want to enter both a dynamic NAT global command and a PAT
global command if you need to use dynamic NAT for a particular application, but you should have a
backup PAT statement in case all the dynamic NAT addresses are depleted. Similarly, you might enter
two PAT statements if you need more than the approximately 64,000 PAT sessions that a single PAT
mapped statement supports
Which I interpret in the following way
Now related to the new 8.3 (and after) format
This is how I configure the NAT Pool + PAT
object-group network SOURCE-NETWORKS
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
object network PAT-ADDRESS
host 1.1.1.1
object network NAT-POOL
range 1.1.1.2 1.1.1.253
object-group network NAT-POOL+PAT
network-object object NAT-POOL
network-object object PAT-ADDRESS
nat (any,WAN) after-auto source dynamic SOURCE-NETWORKS NAT-POOL+PAT
Though you could naturally have the "interface" keyword in use here but since I was testing with a "dummy" NAT Pool + PAT I didnt use my own ASAs "WAN" interface IP address.
I would imagine even though the NAT+PAT format is different it still handles the ordering of the NAT IP addresses used in the same way. Which would be NAT Pool before PAT.
Now to the question about how does the ASA know to use the "outside" interface IP address as the PAT fallback address when the NAT Pool has run out. I would have to again guess that this has to do with the same thing mentioned above for the older software. The ASA is just simply setup to use the NAT Pool first then use the interface IP address as the PAT translation fallback. I dont think even the Cisco material gives really specific information on how the NAT operates while it does have alot of information. Sometimes I do find things that I had no idea about and thats partly the reason I am on these forums also. Never know when you run into something new which you can use yourself.
On the question why does the ASA still need source addresses specified when the interface is already set as "any". I again imagine this is just how the NAT is set up to work.
Notice that when you are using Network Object NAT like you are in your above example, the "object network" always defines the source address.
Even if you were to configure Manual NAT / Twice NAT (or whatever the correct term is nowadays) then the device would still force you to specify the source network. (Even if it was just "any")
For example it could be something like this
nat (any,WAN) after-auto source dynamic any NAT-POOL interface
Where we have
Dont know if there answer any of your questions to the degree you would want. To be honest I wanted to check some things out myself and might as well write it up here too.
- Jouni
03-02-2013 01:55 PM
Thanks for the very helpful information, now I have to digest it to see if I have any more questions...
03-02-2013 02:00 PM
In the line
nat (any,WAN) after-auto source dynamic any NAT-POOL interface
Can you verbalize that line?
Mike
03-02-2013 02:11 PM
Hi,
nat (any,WAN) after-auto source dynamic any NAT-POOL interface
Where
I do still find myself learning new things about the new NAT format so I am kind of hesitant on giving advice and being 100% on it. Though thats just how I am.
I was personally just coming to the point with 8.2 software NAT that I though I knew every trick needed and then 8.3 came and it was partly learning everything again.
Then I started writing on the CSC and noticed I didnt knew everything even about 8.2.
- Jouni
03-02-2013 02:17 PM
Thanks for your help great answers and explanations.
Soon to come questions on Access-lists....after I read of course.
Mike
03-02-2013 02:24 PM
Hi,
I would suggest getting the Configuration Guide PDF file for your ASA software and checking the NAT section. It for example gives clarification to the order in which NAT rules are processed.
Heres a direct link to the portion that handles the NAT Section 1 - 3 that in the new software (8.4 and 8.6) defines the NAT order
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1118157
I've also found the "packet-tracer" command very helpfull in determining how the NAT works and it has helped me learn the new NAT format.
Though naturally if you dont have a spare device its kinda hard to test configurations.
- Jouni
03-02-2013 02:30 PM
Thanks for that information I will check it out. I am going to put more focus on the newer versions because they are needed to support Windows 8 VPN clients and seem to be running into this a lot lately, and I am getting more and more involved in the ASA's.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide