Re: Insert NAT statement in ASA 5520 8.0 code

Hitesh Vinzoda · ‎12-30-2010

Hi,

I m aware of NAT order of operation but what would be order of operation within the same type of NAT ( e.g. Static policy NAT) e.g

access-list nat-me permit ip host 192.168.10.1 host 10.0.10.1

access-list nat-you permit ip host 192.168.20.1 host 10.0.20.1

static (inside,dmz) 172.16.10.1 access-list nat-me >> First line as appearing in the config

static (inside,dmz) 172.16.20.1 access-list nat-you >> Second line appearing in the config

Would it prefer to NAT with placement of STATIC NAT statments in config..?? If yes, Is there any way to insert a NAT statetement on top of the all STATIC NAT without using "no statement " of rules and pasting it again following the new NAT statement.

Will it invite any downtime during such configuration or any suggetion would be helpful

TIA

Hitesh

Kureli Sankar · ‎12-31-2010

Hitesh,

You mean to say you need to insert static 1-1 NAT in place of this static policy nat?

Just copy and paste all the lines on notepad (the ones to be removed and the ones that need to be added) and paste them one shot.

Existing connections will not be affected and it only takes a few seconds before the new lines get into the config so, any new connections that come in in those split seconds will be affected which I think will be negligible.

ASDM has an option to insert line (under NAT). Though you may insert the new line before the existing ones, once pushed to device the new line is the last one added. Meaning there is no line number like the acl to add one line above all existing lines without removing the ones that are alerady there.

-KS

Hitesh Vinzoda · ‎01-02-2011

Hi Sankar,

Apologies for not explaining the scenario, You got me half correct, Actually the case is as below.. Suppose the existing configuration is as below on the ASA. Now there is a host 192.168.20.20 which is communicating to 10.0.20.20 so it will check the NAT Statements and according to the second NAT statement, the source will get NAT to 172.16.20.1.

access-list nat-me permit ip host 192.168.10.1 host 10.0.10.1

access-list nat-you permit ip 192.168.20.0 255.255.255.0 10.0.20.0 255.255.255.0

static (inside,dmz) 172.16.10.1 access-list nat-me >> First line as appearing in the config

static (inside,dmz) 172.16.20.1 access-list nat-you >> Second line appearing in the config

Now I want to have this host 192.168.20.20 to get NAT with different IP e.g. 172.16.20.20 and rest of all to NAT to follow the "Nat-you" ACL. Than the new NAT statement would be appended below the existing NAT statements

access-list nat-me permit ip host 192.168.10.1 host 10.0.10.1

access-list nat-you permit ip 192.168.20.0 255.255.255.0 10.0.20.0 255.255.255.0

access-list nat-1 permit ip host 192.168.20.20 host 10.0.20.0

static (inside,dmz) 172.16.10.1 access-list nat-me >> First line as appearing in the config

static (inside,dmz) 172.16.20.1 access-list nat-you >> Second line appearing in the config

static (inside,dmz) 172.16.20.20 access-list nat-1 >> Third line apperaring in the config

So it seems to me that as per the NAT statements the traffic from 192.168.20.20 to 10.0.20.20 will not get NAT to 172.16.20.20 as it getting matched by the upper NAT statement.

Correct me if I m wrong.... and if its right.. do we have any workaround for this situation?

Thanks in Advance

Hitesh

Dan-Ciprian Cicioiu · ‎01-02-2011

Hi,

a workaroutnd would be :

access-list nat-you deny ip host 192.168.20.20 10.0.20.0 255.255.255.0

access-list nat-you permit ip 192.168.20.0 255.255.255.0 10.0.20.0 255.255.255.0

Dan