Solved: identity nat

suthomas1 · ‎02-15-2011

a subsidaries firewall is configured with few static , nat lines.

int vlan132

nameif Pinnacle

security-level 65

ip address 141.18.65.11 255.255.255.0 standby 141.18.65.21

int vlan138

nameif serena

security-level 53

ip address 141.18.53.11 255.255.255.0 standby 141.18.53.11

int vlan 814

nameif link

security-level 0

ip address 172.16.20.11 255.255.255.224 standby 172.16.20.21

nat-control

nat (Pinnacle) 0 141.18.65.0 255.255.255.0

nat (Pinnacle) 0 0.0.0.0 0.0.0.0

nat (serena) 0 141.18.53.0 255.255.255.0

static (Pinnacle,link) 141.18.65.0 141.18.65.0 netmask 255.255.255.0

static (serena,link) 141.18.53.0 141.18.53.0 netmask 255.255.255.0

link interface is the interconnect between firewall module & router(6506). i went through documents about nat control statement which was not seen in very earlier releases of firewall versions. this module is using code 3.2(14). we learnt nat control was not seen when they were using quite older releases.

my question, what difference does turning on nat control with above configuration do & if nat control line is removed what will happen.

secondly, do static lines achieve anything in relation to the nat lines.

please help to understand better.

thanks in advance.

Federico Coto Fajardo · ‎02-16-2011

You said you add another interface:

int vlan 126
nameif granite
security-level 32
ip address 172.16.16.1 255.255.255.0

If nat-control is enabled & there's no NAT rules this mean the firewall won't allow traffic through the interface.
This is because nat-control requires a NAT rule to allow traffic.

If you disabled nat-control, then it worked because the firewall don't require a NAT rule anymore, only ACL permission.

Disabling nat-control will not cause any problems.
It will simply mean that the firewall won't check for a NAT rule to allow traffic through an interface.

Hope it helps.

Federico.

View solution in original post

Federico Coto Fajardo · ‎02-15-2011

Hi,

Identity NAT is a NAT rule to avoid NATing.

So, either dynamic Identity NAT:

nat (Pinnacle) 0 141.18.65.0 255.255.255.0

nat (Pinnacle) 0 0.0.0.0 0.0.0.0

nat (serena) 0 141.18.53.0 255.255.255.0

Or static Identity NAT:

static (Pinnacle,link) 141.18.65.0 141.18.65.0 netmask 255.255.255.0

static (serena,link) 141.18.53.0 141.18.53.0 netmask 255.255.255.0

The difference is that dynamic dentity NAT will allow only outbound connections, static Identity NAT will allow bidirectional traffic.

nat-control does not apply for static NAT rules I believe.

Federico.

suthomas1 · ‎02-15-2011

thanks . if we were to add another interface on the module, with no static or nat line for its ip address & with nat control enabled, will that interface be accessible from router side and vice-versa.

please help to grab this concept.

thanks all in advance.

suthomas1 · ‎02-16-2011

to add-in another query, does this nat control play part in following states-

1. a host connected to a vlan created on router tries to ping a host connected to a vlan on firewall module within same chasis. will nat controls absence or presence play any role if there is no nat statements related to vlan interface of firewall module

2. apart from having an access list to allow the host from router vlan to ping firewall vlan host, is there anything else required to be done for the ping to be successful.

appreciate time taken to answer .

Federico Coto Fajardo · ‎02-16-2011

1. nat-control only permits traffic through the Firewall if there's a NAT rule that matches.
That NAT rule can be a NAT rule indeed or bypass NAT rule.

2. The ACL is all you need to be able to PING.

If you still have a problem with this please let us know exactly.
Thank you.

Federico.

suthomas1 · ‎02-16-2011

thank you for helping me gauge this.

today, we added another interface to the firewall with ip 172.16.16.1/24 and didnt put any nat/static statements for this. & nat control was enabled by default.

so the configuration looked like below, with previous configuration as in my first post remaining.

int vlan 126

nameif granite

security-level 32

ip address 172.16.16.1 255.255.255.0

nat-control (enabled) & no static or nat for this interface.

acl for this interface was permity any & similary acl for vlan814 ( link interface ) was permit any.

a host 172.16.16.5 was being accessed from a host in link interface. the host 172.16.16.5 couldnt be pinged , neither was an web server hosted on this being reachable.

we disabled nat control & this worked fine. so

1. if nat control is disabled, will it cause problem to other interface traffic ( as they have static/nat lines in the configuration )

2. is this the way it is supposed to work.

please help me to understand this concept.

appreciate the time & effort to read, answer my post.

Federico Coto Fajardo · ‎02-16-2011

You said you add another interface:

int vlan 126
nameif granite
security-level 32
ip address 172.16.16.1 255.255.255.0

If nat-control is enabled & there's no NAT rules this mean the firewall won't allow traffic through the interface.
This is because nat-control requires a NAT rule to allow traffic.

If you disabled nat-control, then it worked because the firewall don't require a NAT rule anymore, only ACL permission.

Disabling nat-control will not cause any problems.
It will simply mean that the firewall won't check for a NAT rule to allow traffic through an interface.

Hope it helps.

Federico.