Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
505
Views
5
Helpful
2
Replies

NAT - Configuration Cleanup Help

Go to solution
tbthurman
Level 1
Level 1

‎01-14-2016 08:18 AM - edited ‎03-12-2019 12:08 AM

I am attempting to cleanup some of the NAT configurations on our ASA before we upgrade from 8.2.5 to 8.3+. I had a question regarding the global nat configurations.

I understand of the purpose of most the statements below, but I don't understand the global (INSIDE) 10 interface.  I also don't like the global (DMZ) 10 interface with the nat (INSIDE) 10 0.0.0.0 0.0.0.0 command. It causes the logs on the DMZ servers to only show the DMZ interface IP instead of the actual host IP.  Can anyone think of a reason why they would be there?

global (OUTSIDE) 15 external-IP1

global (OUTSIDE) 10 external-IP2

global (OUTSIDE) 20 interface

global (INSIDE) 10 interface

global (DMZ) 10 interface

nat (OUTSIDE) 0 access-list NONAT-OUTSIDE

nat (OUTSIDE) 20 192.168.x.x 255.255.255.0

nat (INSIDE) 0 access-l NONAT

nat (INSIDE) 10 0.0.0.0 0.0.0.0

nat (DMZ) 0 access-l NONAT

nat (DMZ) 15 0.0.0.0 0.0.0.0

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎01-14-2016 08:45 AM

Hi,

For Global(inside) 10 and nat(inside) 10, it looks like the U Turning has been performed where the anything coming from inside hosts get natted to the inside interface ip.

This kind of configuration is used to prevent Asymetric routing as well where the SYN goes through ASA however SYN-ACK goes directly to client without passing through ASA. Therefore for return traffic to go through ASA, source ip is natted to Interface ip so that the reply packet first goes to the interface and then ASA performs Untranslation and sends the traffic back to actual source.

Regarding global (DMZ) 10 and nat (inside) 10, it could be possible that you might not want your DMZ hosts to see the actual source ip from Inside. Also you can check if 'nat-control' is enabled. If yes, then you need to have NAT configured on ASA for communication between interface. That could be also be the reason why this nat was kept.

Hope it helps you finding the main reason.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

View solution in original post

2 Replies 2

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎01-14-2016 08:45 AM

Hi,

For Global(inside) 10 and nat(inside) 10, it looks like the U Turning has been performed where the anything coming from inside hosts get natted to the inside interface ip.

This kind of configuration is used to prevent Asymetric routing as well where the SYN goes through ASA however SYN-ACK goes directly to client without passing through ASA. Therefore for return traffic to go through ASA, source ip is natted to Interface ip so that the reply packet first goes to the interface and then ASA performs Untranslation and sends the traffic back to actual source.

Regarding global (DMZ) 10 and nat (inside) 10, it could be possible that you might not want your DMZ hosts to see the actual source ip from Inside. Also you can check if 'nat-control' is enabled. If yes, then you need to have NAT configured on ASA for communication between interface. That could be also be the reason why this nat was kept.

Hope it helps you finding the main reason.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Go to solution
tbthurman
Level 1
Level 1
In response to Akshay Rastogi

‎01-28-2016 12:54 PM

Thanks! This helped lead me to the right direction of what I needed to find.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card