Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1100
Views
5
Helpful
11
Replies

How are object groups processed in NAT

Go to solution
DarrenB_UK
Level 1
Level 1

‎03-02-2016 12:59 PM - edited ‎03-12-2019 12:26 AM

Hello all,

I have seen, and indeed used object groups in a "twice NAT" configuration especially for exempting translation for VPN traffic.

I was wondering how object groups are processed correctly as so far, the results have been as expected.  Please see the brief example below:

object-group network vpn-local
network-object 192.168.10.0 255.255.255.0


object-group network vpn-remote
network-object 10.0.10.0 255.255.255.0
network-object 10.0.20.0 255.255.255.0
network-object 10.0.30.0 255.255.255.0
network-object 10.0.40.0 255.255.255.0

nat (inside,outside) 1 source static vpn-local vpn-local destination static vpn-remote vpn-remote

Why and how does the NAT process work when for example, the remote network is 10.0.30.0/24?  How does the ASA know to translate that to itself rather than the first object in the list - 10.0.10.0/24?

We make extensive use of object groups in NAT statements and I have never found the logic behind the process!

Thanks in advance,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-02-2016 05:21 PM

Hi DarrenB_UK,

The logic is the traffic is matched with the NAT entities and since nat exemption takes precedence over other NAT statements , ASA confirms if the remote destination is indeed part of object-group defined in destination static argument.and if it is, , it self translates or nat exempts the source in this case.

The statement "nat (inside,outside) 1 source static vpn-local vpn-local destination static vpn-remote vpn-remote"


states that whenever vpn-local tries to access vpn-remote object-group , (irrespective of the subnets/host involved) , self translate vpn-local to itself and do not translate vpn-remote as well.

You might want to take a moment and go through this wonderful document on nat:
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Hope this helps.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-02-2016 05:21 PM

Hi DarrenB_UK,

The logic is the traffic is matched with the NAT entities and since nat exemption takes precedence over other NAT statements , ASA confirms if the remote destination is indeed part of object-group defined in destination static argument.and if it is, , it self translates or nat exempts the source in this case.

The statement "nat (inside,outside) 1 source static vpn-local vpn-local destination static vpn-remote vpn-remote"


states that whenever vpn-local tries to access vpn-remote object-group , (irrespective of the subnets/host involved) , self translate vpn-local to itself and do not translate vpn-remote as well.

You might want to take a moment and go through this wonderful document on nat:
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Hope this helps.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
DarrenB_UK
Level 1
Level 1

‎03-02-2016 09:41 PM

Thank you Dinesh - exactly what I needed to have confirmed!

"ASA confirms if the destination is part of the object group" is the key criteria"

All the best,

Darren

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to DarrenB_UK

‎03-02-2016 09:50 PM

You got it , Darren

Cheers!


-Dinesh 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
DarrenB_UK
Level 1
Level 1
In response to Dinesh Moudgil

‎03-02-2016 09:58 PM

One question does arise though Dinesh, what happens if the destination object group is different?

object-group network vpn-local
network-object 192.168.10.0 255.255.255.0


object-group network vpn-remote
network-object 10.0.10.0 255.255.255.0
network-object 10.0.20.0 255.255.255.0
network-object 10.0.30.0 255.255.255.0
network-object 10.0.40.0 255.255.255.0

object-group network vpn-remote-new
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 172.16.30.0 255.255.255.0
network-object 172.16.40.0 255.255.255.0

nat (inside,outside) 1 source static vpn-local vpn-local destination static vpn-remote vpn-remote-new

If the ASA cannot confirm the entry is in the list, will it fail or will it match to the entry at the same location?

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to DarrenB_UK

‎03-02-2016 10:08 PM

Darren,

You don't have to worry about the latter part of destination static i.e. vpn-remote-new

As long as the traffic is coming from "vpn-local" to "vpn-remote" (other condition is vpn-local has to be from inside and vpn-remote has to be reachable on the outside, this is nothing but the interfaces that we mentioned in this nat statement) , this nat statement will be used where vpn-local is self-translated/nat-exempted and vpn-remote is translated to vpn-remote-new.

Hope this addresses your query.

 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
DarrenB_UK
Level 1
Level 1
In response to Dinesh Moudgil

‎03-02-2016 10:18 PM

Hi Dinesh and thank you for your continued input!

So looking at these remote object groups:

object-group network vpn-remote
network-object 10.0.10.0 255.255.255.0
network-object 10.0.20.0 255.255.255.0
network-object 10.0.30.0 255.255.255.0
network-object 10.0.40.0 255.255.255.0

object-group network vpn-remote-new
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 172.16.30.0 255.255.255.0
network-object 172.16.40.0 255.255.255.0

If the matched destination address is 10.0.30.0, at position 3 in the object group, would the ASA translate this to position 3 in the vpn-remote-new group - 172.16.30.0?

Just want to be clear about the order of processing logic in object groups for ASA NAT!

Thanks again

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to DarrenB_UK

‎03-02-2016 11:37 PM

Darren,

Actually this is not the optimum way to configure natting.
I will suggest you to create separate nat statements for the destination object-groups so that 10.0.30.0 translates to 172.16.30.0 and similarly for other objects.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
DarrenB_UK
Level 1
Level 1
In response to Dinesh Moudgil

‎03-03-2016 11:18 AM

Hi Dinesh,

Thanks again for your input.  

So you are suggesting that whilst using the same object group for identity NAT is OK, use separate NAT statements with the relevant objects if an actual translation is required?

Best regards,

Darren

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to DarrenB_UK

‎03-03-2016 05:22 PM

I'd suggest that whether you go for nat exemption or trasnlation. always use separate NAT statements.

Regards,
Dinesh Moudgil


P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
DarrenB_UK
Level 1
Level 1
In response to Dinesh Moudgil

‎03-06-2016 12:46 AM

I finally managed to lab this up!

ciscoasa# show object-group


object-group network vpn-remote
 network-object 10.0.100.0 255.255.255.0
 network-object 10.0.101.0 255.255.255.0
 network-object 10.0.102.0 255.255.255.0
 network-object 10.0.103.0 255.255.255.0
object-group network vpn-remote-new
 network-object 192.168.100.0 255.255.255.0
 network-object 192.168.101.0 255.255.255.0
 network-object 192.168.102.0 255.255.255.0
network-object 192.168.103.0 255.255.255.0
 object-group network vpn-local
network-object 10.0.10.0 255.255.255.0

ciscoasa# show run nat
nat (inside,outside) source static vpn-local vpn-local destination static vpn-remote vpn-remote-new

ciscoasa# packet-tracer input inside tcp 10.0.10.1 12345 10.0.101.1 80 detailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static vpn-local vpn-local destination static vpn-remote vpn-remote-new
Additional Information:
NAT divert to egress interface outside
Untranslate 10.0.101.1/80 to 192.168.101.1/80

ciscoasa# packet-tracer input inside tcp 10.0.10.1 12345 10.0.103.1 80 det

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static vpn-local vpn-local destination static vpn-remote vpn-remote-new
Additional Information:
NAT divert to egress interface outside
Untranslate 10.0.103.1/80 to 192.168.103.1/80

ciscoasa# packet-tracer input inside tcp 10.0.10.1 12345 10.0.101.1 80 det

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static vpn-local vpn-local destination static vpn-remote vpn-remote-new
Additional Information:
NAT divert to egress interface outside
Untranslate 10.0.101.1/80 to 192.168.101.1/80

What this demonstrates is that the static NAT translates the object-group to the corresponding position in the groups!  Cool!

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to DarrenB_UK

‎03-06-2016 12:50 AM

Wonderful Darren,

Appreciate your efforts on a quick lab-repro to confirm the behavior.
Way to go !

Regards,
Dinesh Moudgil 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card