Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
8
Replies

Help with new code NAT statement that has no destination but translate hits

Go to solution
Dean Romanelli
Level 4
Level 4

‎05-22-2015 08:44 AM - edited ‎03-11-2019 10:59 PM

Hi All,

I recently acquired a new site. The firewall is running new code NAT, and the following statement is configured:

object network LAN
 subnet 192.168.175.0 255.255.255.0

nat (inside,outside) source static LAN LAN no-proxy-arp route-lookup

 

Can anyone tell me exactly what this is doing? The thing that is throwing me off is that this line doesn't have a destination like I'm used to seeing, but I seeing translate hits on the line.

FW-ITL-5505# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static LAN LAN   no-proxy-arp route-lookup
    translate_hits = 3481993, untranslate_hits = 160197

 

For example, I understand the below says "Don't NAT any traffic from the LAN to REMOTE."

nat (inside,outside) source static LAN LAN destination static REMOTE REMOTE no-proxy-arp route-lookup

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎05-22-2015 09:46 AM

If there is no destination in the NAT-statement, then the destination is "any". This line means: Translate any source LAN to new source LAN (effectively do not NAT) regardless of the destination if the traffic enters inside and exits outside. That's probably not what you want. Does it work as you want? Then there are probably other lines that have a higher priority.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Karsten Iwen
VIP
VIP

‎05-22-2015 09:46 AM

If there is no destination in the NAT-statement, then the destination is "any". This line means: Translate any source LAN to new source LAN (effectively do not NAT) regardless of the destination if the traffic enters inside and exits outside. That's probably not what you want. Does it work as you want? Then there are probably other lines that have a higher priority.

0 Helpful

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Karsten Iwen

‎05-23-2015 05:40 AM

Thanks Karsten.  Here;s the full NAT table:

nat (inside,outside) source static LAN LAN no-proxy-arp route-lookup
nat (inside,outside) source static LAN LAN destination static Rome Rome no-proxy-arp route-lookup
nat (inside,outside) source static LAN LAN destination static Milan Milan no-proxy-arp route-lookup
nat (inside,outside) source static LAN LAN destination static Perugia Perugia no-proxy-arp route-lookup
nat (inside,outside) source static LAN LAN destination static Paris Paris no-proxy-arp route-lookup
nat (inside,outside) source static LAN LAN destination static DC-INET DC-INET no-proxy-arp route-lookup

So each of these lines are for a site-to-site VPN tunnel. But if I am understanding you correctly, the last 5 lines aren't doing anything because the first line is already saying "Do not NAT the LAN to any destination, so the last five lines are never evaluated because the first line matches each time right?

As for the functionality, it's actually ok as we centralize our internet pipe company wide in our data center, so I don't want to NAT anything locally (since the VPN tunnel ultimately delivers INET via the DC). I just figure I'll pull out those 5 lines if they are ultimately doing nothing.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Dean Romanelli

‎05-23-2015 07:07 AM

These NAT-exemption-rules are only needed if there is done NAT on the ASA, typically for internet-traffic. If you don't want to nat anything on the ASA you can completely remove all NAT-entries and the ASA will route anything through.

0 Helpful

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Karsten Iwen

‎05-23-2015 03:10 PM

Hi Karsten,

Yeah unfortunately I have to NAT out one FTP service locally on this FW:

object network API-FTP
 nat (inside,outside) static API-FTP-public

So considering that config, I thought I would need to set the nonat statements shown in the NAT table in the above  post.  But I think the first line in that table takes care of everything, meaning I should be able to pull the other 5 out right?

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Dean Romanelli

‎05-23-2015 03:19 PM

Yes, the five statements seem to be not needed in your scenario.

Is the API-FTP part of the LAN network? Then I wonder why it works as the first line takes precedence oder the object-NAT.

But anyhow, if this is the only system needing NAT and you don't have any more dynamic NAT-statement, then you can remove all NAT exemptions.

0 Helpful

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Karsten Iwen

‎05-26-2015 01:58 PM

Karsten,

Yes, the FTP server is on an address within the LAN of this network.  I have a /29 from the ISP, so I am using 1 address for my WAN port / vlan 2 on the ASA and using another of the publics for a static 1:1 NAT for the inside FTP server address to be seen from the outside publicly.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Dean Romanelli

‎05-26-2015 02:13 PM

Have you tested it without the NAT-exemptions? That's the most important question ... 

0 Helpful

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Karsten Iwen

‎05-27-2015 06:32 AM

Not yet. I will have to wait until after hours just in case ;-)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card