Solved: NAT config in old ASA

mahesh1818 · ‎11-28-2024

Hi Team,

I need to Migrate Cisco ASA to Firepower.

Below is NAT config on ASA

global (outside) 1 interface
nat (inside) 0 172.16.0.0 255.240.0.0
nat (inside) 0 10.0.0.0 255.0.0.0

Seems Global is for traffic going from inside to outside and getting PAT to Outside Interface I address right?

And nat inside 0 says that if source is 10.x.x.x then no NAT right?

so which NAT config takes preference?

Regards

MAhesh

Flavio Miranda · ‎11-28-2024

@mahesh1818

"Seems Global is for traffic going from inside to outside and getting PAT to Outside Interface I address right?"

Yes.

"And nat inside 0 says that if source is 10.x.x.x then no NAT right?"

Yes.

"so which NAT config takes preference?"

Exemption comes first.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/firewall/asdm_71_firewall_config/nat_82.html#19135

Order of NAT Rules Used to Match Real Addresses

The ASA matches real addresses to NAT rules in the following order:

1. NAT exemption—In order, until the first match.

2. Static NAT and Static PAT (regular and policy)—In order, until the first match. Static identity NAT is included in this category.

3. Policy dynamic NAT—In order, until the first match. Overlapping addresses are allowed.

4. Regular dynamic NAT—Best match. Regular identity NAT is included in this category. The order of the NAT rules does not matter; the NAT rule that best matches the real address is used. For example, you can create a general rule to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a rule to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific rule for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping rules; they use more memory and can slow the performance of the ASA.

View solution in original post

mahesh1818 · ‎11-28-2024

Thanks for the reply

So, NAT inside 0 are exempt in our case and then Static NAT comes got that.

After that comes dynamic PAT which is statement global in our case?

if we have static nat say

static (inside,outside) 10.76.28.93 10.76.28.93 netmask 255.255.255.255

does this NAT policy will get hit? as per my understanding exempt policy for No NAT will take precedence over this

On NAT stats i see

translate_hits = 0, untranslate_hits = 90 so above static NAT statement is hitting the NAT rule right?

Regards

MAhesh

View solution in original post

Flavio Miranda · ‎11-28-2024

"translate_hits = 0, untranslate_hits = 90 so above static NAT statement is hitting the NAT rule right?"

I only see hit on the untranslate counter, which is exempt. If the static NAT got hit, we should see the counter for translate increase,

View solution in original post

Flavio Miranda · ‎11-28-2024

@mahesh1818

"Seems Global is for traffic going from inside to outside and getting PAT to Outside Interface I address right?"

Yes.

"And nat inside 0 says that if source is 10.x.x.x then no NAT right?"

Yes.

"so which NAT config takes preference?"

Exemption comes first.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/firewall/asdm_71_firewall_config/nat_82.html#19135

Order of NAT Rules Used to Match Real Addresses

The ASA matches real addresses to NAT rules in the following order:

1. NAT exemption—In order, until the first match.

2. Static NAT and Static PAT (regular and policy)—In order, until the first match. Static identity NAT is included in this category.

3. Policy dynamic NAT—In order, until the first match. Overlapping addresses are allowed.

4. Regular dynamic NAT—Best match. Regular identity NAT is included in this category. The order of the NAT rules does not matter; the NAT rule that best matches the real address is used. For example, you can create a general rule to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a rule to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific rule for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping rules; they use more memory and can slow the performance of the ASA.

mahesh1818 · ‎11-28-2024

Thanks for the reply

So, NAT inside 0 are exempt in our case and then Static NAT comes got that.

After that comes dynamic PAT which is statement global in our case?

if we have static nat say

static (inside,outside) 10.76.28.93 10.76.28.93 netmask 255.255.255.255

does this NAT policy will get hit? as per my understanding exempt policy for No NAT will take precedence over this

On NAT stats i see

translate_hits = 0, untranslate_hits = 90 so above static NAT statement is hitting the NAT rule right?

Regards

MAhesh

Flavio Miranda · ‎11-28-2024

"translate_hits = 0, untranslate_hits = 90 so above static NAT statement is hitting the NAT rule right?"

I only see hit on the untranslate counter, which is exempt. If the static NAT got hit, we should see the counter for translate increase,

mahesh1818 · ‎11-28-2024

Many Thanks Miranda You are the best.!