Solved: NAT Priority decisions when converting 8.2 to 8.3+

jpeterson6 · ‎01-29-2013

Hi,

I have a situation where I'm converting a rather large amount of NAT statements (500+) from old syntax to 8.3+ syntax.

It's a fair amount of work, and I'm starting to wonder how to best approach the changes to NAT decision-making with the newer versions.

There is a heavy reliance on Policy NAT, and there are a few Nat Exempts that need to be converted to new syntax. There are also over 400 Static NAT entries.

My current plan is to convert the Static Entries into Auto NAT syntax and all their Dynamic Policy NAT into Manual NAT entries. The NAT Exempt will be Manual as well and be placed in front of everything else for the top priority.

The confusion on my part starts when I consider the Dynamic NAT/PAT that aren't destination-specific (ie, no policy-NAT).

Where should I put these? Should I just put them after the more specific Policy NAT entries under Manual NAT? Should I convert them into Auto NAT entries? Or should I push them all the way down to After-Auto?

What is best practice in that situation?

As an aside, I was asked not to rely on the auto-migration (when the ASA boots) as it would create a lot of unreadable objects that would later have to be sifted through and renamed.

Thanks!

lcambron · ‎02-01-2013

Traffic initiated from outside won't hit the Dynamic NAT, even if configured as Manual.

However it's ok to do it as after Auto NAT.

Regards,

Felipe.

View solution in original post

Rudy Sanjoko · ‎01-30-2013

i would configure them as after auto nat, because according to you those are more general compare to your "more specific" policy nat and as far as i know in nat world, the more specific rules get more priority above the less specific rules to make sure the asa implements those more specific ones first.

just my 2cents

lcambron · ‎01-31-2013

Hello,

The way you mentioned is the right way.

NAT exempt should be manual NAT and go first.

Policy NAT also needs to be Manual and go after the nat exempt

Static NAT, should be Auto-NAT as well as dynamic nat.

This NAT order(Auto) is automatically determined by the adaptive security appliance:

1. Static rules.

2. Dynamic rules.

For more information about NAT order and how the ASA orders Auto NAT:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wpxref31590

Regards,

Felipe.

jpeterson6 · ‎01-31-2013

Icambron, to clarify:

Are you suggesting that I change the Dynamic NAT rules (That aren't Policy-NAT) to Auto NAT syntax instead of Manual NAT?

Now that I look at it, that will not be possible with some of the Dynamic NATs either.

A few of the Dynamic NAT entries that do not have a specified Policy NAT destination are used in multiple dynamic nats

Example

object network pat-10.1.1.0_24

subnet 10.1.1.0 255.255.255.0

object network pat-1.1.1.0_24

subnet 1.1.1.0 255.255.255.0

object network pat-2.2.2.0_24

subnet 2.2.2.0 255.255.255.0

nat (inside,outside) source dynamic pat-10.1.1.0_24 pat-1.1.1.0_24

nat (inside,dmz) source dynamic pat-10.1.1.0_24 pat-2.2.2.0_24

In the situation above, would it be better to just create TWO auto-nat entries, or just use after-auto manual nat?

lcambron · ‎01-31-2013

As long as the dynamic NAT is at the end of the Manual NATs this should also work.

Regards,

Felipe.

jpeterson6 · ‎02-01-2013

After sleeping on it, I'd honestly rather not create new objects for use in AutoNAT; Some of the objects used in Dynamic PAT are duplicated amongst other Dynamic PAT with different Mapped interfaces, and also some of the objects are re-used in the Policy NAT statements.

Unless there's a specific reason NOT to do it, I'll set them up as follows:

1. NAT0/Exemption (Manual NAT)

2. Policy NAT (Manual NAT)

3. Statics (Auto NAT)

4. Dynamic PAT (After-Auto NAT)

Thanks for the assistance.

lcambron · ‎02-01-2013

Traffic initiated from outside won't hit the Dynamic NAT, even if configured as Manual.

However it's ok to do it as after Auto NAT.

Regards,

Felipe.

jpeterson6 · ‎02-01-2013

Thanks for the verification.