Solved: Help understanding NAT for both version 8.2 and older and 8.3

burleyman · ‎03-02-2013

ASA 5505 Version 8.2 or older

nat (inside) 1 10.0.0.0 255.255.255.0
nat (INTF4) 1 10.0.4.0 255.255.255.0
nat (INTF5) 1 10.0.5.0 255.255.255.0
nat (INTF6) 1 10.0.6.0 255.255.255.0
nat (INTF7) 1 10.0.7.0 255.255.255.0
global (outside) 1 209.165.200.235-209.165.200.254 netmask 255.255.255.224
global (outside) 1 interface

I believe this setup does the following. The inside interface and interfaces 4,5,6,and 7 will translate using this line....

global (outside) 1 209.165.200.235-209.165.200.254 netmask 255.255.255.224

and if the addresses run out is will start using the ouside interface IP address to translate, so traffic is not disrupted and is based on the line of configuration.....

global (outside) 1 interface

Please correct me if I am wrong.

My question, does it do this because of the order of the configuration..

global (outside) 1 209.165.200.235-209.165.200.254 netmask 255.255.255.224
global (outside) 1 interface

or would it do it that way even if it was like this?

global (outside) 1 interface
global (outside) 1 209.165.200.235-209.165.200.254 netmask 255.255.255.224

and if so why?

Now let's convert the above configuration to ASA 5505 Version 8.3 or newer.

object network OUTSIDE-NAT-POOL
range 209.165.200.235 209.165.200.254
object network INTERNAL-SEGMENTS
subnet 10.0.0.0 255.255.248.0
nat (any,outside) dynamic OUTSIDE-NAT-POOL interface

My question is how does it know to use the outside interface as a backup when the OUTSIDE-NAT-POOL is depleted?

Also why do I need to define the INTERNAL-SEGMENTS ? Doesn't the "any" in the (any,outside) take care of that?
Also wouldn't the "any" in (any,outside) cover interface 3 or DMZ which could be an issue?

Thanks for you help,

Mike

Jouni Forss · ‎03-02-2013

Hi,

The configuration guide for 8.2 software would lead to believe that the order of those 2 "global" lines has no effect on how the "global" configurations are used. Which leads me to believe this is just how the ASA handles when it has both a single IP address and range of IP address with the same ID number in the configurations.

This is how the 8.2 Configuration Guide instructs to configure the NAT Pool + PAT you mention

To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is
exhausted, enter the following commands:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.5
hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20

Notice that the actual configuration guide has the PAT address defined first before the actual range of IP address.

It also mentions the following

You can enter multiple global commands for one interface using the same NAT ID; the ASA uses the

dynamic NAT global commands first, in the order they are in the configuration, and then it uses the PAT

global commands in order. You might want to enter both a dynamic NAT global command and a PAT

global command if you need to use dynamic NAT for a particular application, but you should have a

backup PAT statement in case all the dynamic NAT addresses are depleted. Similarly, you might enter

two PAT statements if you need more than the approximately 64,000 PAT sessions that a single PAT

mapped statement supports

Which I interpret in the following way

Firs the ASA uses the Dynamic NAT Pools configured on the ASA in the order they are configured in (This would mean whatever order the PAT and Pool addresses were configured the Pool would always be used first
Right after the above it states that after NAT Pools, the PAT addresses are used in the order they are configured
All of the above would lead me to believe that its just how the ASA handles the NAT. If there is a NAT Pool configured, it uses it first. If it runs out it uses the PAT address.

Now related to the new 8.3 (and after) format

This is how I configure the NAT Pool + PAT

object-group network SOURCE-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

object network PAT-ADDRESS

host 1.1.1.1

object network NAT-POOL

range 1.1.1.2 1.1.1.253

object-group network NAT-POOL+PAT

network-object object NAT-POOL

network-object object PAT-ADDRESS

nat (any,WAN) after-auto source dynamic SOURCE-NETWORKS NAT-POOL+PAT

Though you could naturally have the "interface" keyword in use here but since I was testing with a "dummy" NAT Pool + PAT I didnt use my own ASAs "WAN" interface IP address.

I would imagine even though the NAT+PAT format is different it still handles the ordering of the NAT IP addresses used in the same way. Which would be NAT Pool before PAT.

Now to the question about how does the ASA know to use the "outside" interface IP address as the PAT fallback address when the NAT Pool has run out. I would have to again guess that this has to do with the same thing mentioned above for the older software. The ASA is just simply setup to use the NAT Pool first then use the interface IP address as the PAT translation fallback. I dont think even the Cisco material gives really specific information on how the NAT operates while it does have alot of information. Sometimes I do find things that I had no idea about and thats partly the reason I am on these forums also. Never know when you run into something new which you can use yourself.

On the question why does the ASA still need source addresses specified when the interface is already set as "any". I again imagine this is just how the NAT is set up to work.

Notice that when you are using Network Object NAT like you are in your above example, the "object network" always defines the source address.

Even if you were to configure Manual NAT / Twice NAT (or whatever the correct term is nowadays) then the device would still force you to specify the source network. (Even if it was just "any")

For example it could be something like this

nat (any,WAN) after-auto source dynamic any NAT-POOL interface

Where we have

Source interface as "any"
But still have to configure the "source" parameters for the actual source IP addresses. In this case that is also specified as "any".

Dont know if there answer any of your questions to the degree you would want. To be honest I wanted to check some things out myself and might as well write it up here too.

- Jouni

View solution in original post

Jouni Forss · ‎03-02-2013

Hi,

nat (any,WAN) after-auto source dynamic any NAT-POOL interface

Where

any = Defines that traffic to be NATed can be source from "any" interface on the ASA
WAN = Defines the destination interface for the traffic to be NATed
after-auto = Defines that the NAT rule is moved to the Section 3 of the NAT rules
- Because of this its one of the last NAT rules to be matched on the ASA. Basically first the Twice NAT / Manual NAT of Section 1 would be gone through and after this Section 2 Network Object NAT and finally the Section 3 Twice NAT / Manual NAT
source = Specifies that "source" parameters for the NAT will follow
any = Specifies that that the source IP address/network for the NAT can be anything.
- I would imagine this single command would therefore work for example VPN Clients that want to make a U-turn on the ASA "WAN" interface for Internet traffic when using Full Tunnel
NAT-POOL = Is in this case a "object network" that contains "range 1.1.1.1 1.1.1.253" address range used for the NAT Pool
interface = Defines that the destination interface "WAN" will be used as PAT address. And to my knowledge this is only used after the NAT-POOL has been exhausted

I do still find myself learning new things about the new NAT format so I am kind of hesitant on giving advice and being 100% on it. Though thats just how I am.

I was personally just coming to the point with 8.2 software NAT that I though I knew every trick needed and then 8.3 came and it was partly learning everything again.

Then I started writing on the CSC and noticed I didnt knew everything even about 8.2.

- Jouni

View solution in original post

Jouni Forss · ‎03-02-2013

Hi,

I would suggest getting the Configuration Guide PDF file for your ASA software and checking the NAT section. It for example gives clarification to the order in which NAT rules are processed.

Heres a direct link to the portion that handles the NAT Section 1 - 3 that in the new software (8.4 and 8.6) defines the NAT order

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1118157

I've also found the "packet-tracer" command very helpfull in determining how the NAT works and it has helped me learn the new NAT format.

Though naturally if you dont have a spare device its kinda hard to test configurations.

- Jouni

View solution in original post

Jouni Forss · ‎03-02-2013

Hi,

The configuration guide for 8.2 software would lead to believe that the order of those 2 "global" lines has no effect on how the "global" configurations are used. Which leads me to believe this is just how the ASA handles when it has both a single IP address and range of IP address with the same ID number in the configurations.

This is how the 8.2 Configuration Guide instructs to configure the NAT Pool + PAT you mention

To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is
exhausted, enter the following commands:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.5
hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20

Notice that the actual configuration guide has the PAT address defined first before the actual range of IP address.

It also mentions the following

You can enter multiple global commands for one interface using the same NAT ID; the ASA uses the

dynamic NAT global commands first, in the order they are in the configuration, and then it uses the PAT

global commands in order. You might want to enter both a dynamic NAT global command and a PAT

global command if you need to use dynamic NAT for a particular application, but you should have a

backup PAT statement in case all the dynamic NAT addresses are depleted. Similarly, you might enter

two PAT statements if you need more than the approximately 64,000 PAT sessions that a single PAT

mapped statement supports

Which I interpret in the following way

Firs the ASA uses the Dynamic NAT Pools configured on the ASA in the order they are configured in (This would mean whatever order the PAT and Pool addresses were configured the Pool would always be used first
Right after the above it states that after NAT Pools, the PAT addresses are used in the order they are configured
All of the above would lead me to believe that its just how the ASA handles the NAT. If there is a NAT Pool configured, it uses it first. If it runs out it uses the PAT address.

Now related to the new 8.3 (and after) format

This is how I configure the NAT Pool + PAT

object-group network SOURCE-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

object network PAT-ADDRESS

host 1.1.1.1

object network NAT-POOL

range 1.1.1.2 1.1.1.253

object-group network NAT-POOL+PAT

network-object object NAT-POOL

network-object object PAT-ADDRESS

nat (any,WAN) after-auto source dynamic SOURCE-NETWORKS NAT-POOL+PAT

Though you could naturally have the "interface" keyword in use here but since I was testing with a "dummy" NAT Pool + PAT I didnt use my own ASAs "WAN" interface IP address.

I would imagine even though the NAT+PAT format is different it still handles the ordering of the NAT IP addresses used in the same way. Which would be NAT Pool before PAT.

Now to the question about how does the ASA know to use the "outside" interface IP address as the PAT fallback address when the NAT Pool has run out. I would have to again guess that this has to do with the same thing mentioned above for the older software. The ASA is just simply setup to use the NAT Pool first then use the interface IP address as the PAT translation fallback. I dont think even the Cisco material gives really specific information on how the NAT operates while it does have alot of information. Sometimes I do find things that I had no idea about and thats partly the reason I am on these forums also. Never know when you run into something new which you can use yourself.

On the question why does the ASA still need source addresses specified when the interface is already set as "any". I again imagine this is just how the NAT is set up to work.

Notice that when you are using Network Object NAT like you are in your above example, the "object network" always defines the source address.

Even if you were to configure Manual NAT / Twice NAT (or whatever the correct term is nowadays) then the device would still force you to specify the source network. (Even if it was just "any")

For example it could be something like this

nat (any,WAN) after-auto source dynamic any NAT-POOL interface

Where we have

Source interface as "any"
But still have to configure the "source" parameters for the actual source IP addresses. In this case that is also specified as "any".

Dont know if there answer any of your questions to the degree you would want. To be honest I wanted to check some things out myself and might as well write it up here too.

- Jouni

burleyman · ‎03-02-2013

Thanks for the very helpful information, now I have to digest it to see if I have any more questions...

burleyman · ‎03-02-2013

In the line

nat (any,WAN) after-auto source dynamic any NAT-POOL interface

Can you verbalize that line?

Mike

Jouni Forss · ‎03-02-2013

Hi,

nat (any,WAN) after-auto source dynamic any NAT-POOL interface

Where

any = Defines that traffic to be NATed can be source from "any" interface on the ASA
WAN = Defines the destination interface for the traffic to be NATed
after-auto = Defines that the NAT rule is moved to the Section 3 of the NAT rules
- Because of this its one of the last NAT rules to be matched on the ASA. Basically first the Twice NAT / Manual NAT of Section 1 would be gone through and after this Section 2 Network Object NAT and finally the Section 3 Twice NAT / Manual NAT
source = Specifies that "source" parameters for the NAT will follow
any = Specifies that that the source IP address/network for the NAT can be anything.
- I would imagine this single command would therefore work for example VPN Clients that want to make a U-turn on the ASA "WAN" interface for Internet traffic when using Full Tunnel
NAT-POOL = Is in this case a "object network" that contains "range 1.1.1.1 1.1.1.253" address range used for the NAT Pool
interface = Defines that the destination interface "WAN" will be used as PAT address. And to my knowledge this is only used after the NAT-POOL has been exhausted

I do still find myself learning new things about the new NAT format so I am kind of hesitant on giving advice and being 100% on it. Though thats just how I am.

I was personally just coming to the point with 8.2 software NAT that I though I knew every trick needed and then 8.3 came and it was partly learning everything again.

Then I started writing on the CSC and noticed I didnt knew everything even about 8.2.

- Jouni

burleyman · ‎03-02-2013

Thanks for your help great answers and explanations.

Soon to come questions on Access-lists....after I read of course.

Mike

Jouni Forss · ‎03-02-2013

Hi,

I would suggest getting the Configuration Guide PDF file for your ASA software and checking the NAT section. It for example gives clarification to the order in which NAT rules are processed.

Heres a direct link to the portion that handles the NAT Section 1 - 3 that in the new software (8.4 and 8.6) defines the NAT order

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1118157

I've also found the "packet-tracer" command very helpfull in determining how the NAT works and it has helped me learn the new NAT format.

Though naturally if you dont have a spare device its kinda hard to test configurations.

- Jouni

burleyman · ‎03-02-2013

Thanks for that information I will check it out. I am going to put more focus on the newer versions because they are needed to support Windows 8 VPN clients and seem to be running into this a lot lately, and I am getting more and more involved in the ASA's.

Mike