06-05-2013 10:28 AM - edited 03-11-2019 06:53 PM
Hi everyone
Hoping someone can clear this up for me, as it's working but I have no idea why.
we have a nat exemption rule for 10.0.0.0/8 to w.x.y.z
followed by some static nat rules
and then
dynamic policy nat rule for 10.0.0.0/8 to w.x.y.z natting to IP a.b.c.d
When I do a packet trace from 10.10.10.10 to w.x.y.z, it shows the packet first matching against the nat exemption rule, and then immediately afterwards it matches the dynamic policy NAT rule. The static nat rules are being successfully bypassed (which is what I want), but why does the dynamic policy nat rule apply if an exempt rule has been hit already? Is this by design?
An actual test between the IPs above reflects the result of the packet tracer as well (IP a.b.c.d is seen on server w.x.y.z).
We are running the following software on an ASA5520:
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(7)
Any ideas?
Thanks
A
Solved! Go to Solution.
06-05-2013 11:42 PM
Hi,
To me the "packet-tracer" output seems to state that the Dynamic Policy NAT is not applied at all.
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (if001) 4 access-list if001_nat_outbound
match ip if001 10.0.0.0 255.0.0.0 Outside a.b.c.128 255.255.255.192
dynamic translation to pool 4 (a.b.c.88)
translate_hits = 477883, untranslate_hits = 22
Additional Information:
To my understanding, if the above Dynamic Policy PAT was applied you would see the actual translation information on the "Additional Information" section of the output.
Here is an example of one of our 8.2 ASA firewalls when the "packet-tracer" test matches a Dynamic Policy NAT
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (int) 21 access-list
nat-control
match ip int any outside host x.x.x.x
dynamic translation to pool 21 (y.y.y.y)
translate_hits = 2, untranslate_hits = 0
Additional Information:
Dynamic translate a.a.a.a/12345 to y.y.y.y/13091 using netmask 255.255.255.255
I am not sure what the logic with the output of "packet-tracer" is sometimes BUT it seems to list the NAT configurations that match the source address even if they are NOT applied in this very case.
Though in this case you say that you are still seing the traffic coming with the Dynamic Policy PAT. I am not 100% sure how the ASA reacts when you configure different type of NAT configurations in different order. It was not that uncommon a few years back when I didnt remember to clear the xlate for some device and wondered why some NAT didnt work how it was supposed to.
Also, Just to make sure, are your NAT0 and Dynamic Policy PAT ACLs identical? And if they are is there really use for the other one of them?
- Jouni
06-06-2013 12:12 AM
Hi,
The decision which translation is used when we have both Static NAT and Static Policy NAT between the same interfaces comes down to the order of the "static" commands. And the old software doesnt really give you much chances to change this without causing atleast a minor distruption to the traffic.
What you would need to do is the following
The purpose of the above is to simply reorder the NAT configuration which you see in CLI format. We first configure the Static Policy NAT which will add it to the very bottom of "static" configurations. When we consider that you probably already had the normal Static NAT configured before this then that means its overriding the Static Policy NAT always since its first in the CLI configuration. We then remove the Static NAT and reinsert the Static NAT which again moves it to the very bottom of the "static" configurations.
After this the Static Policy NAT should be matches first and then rest of the traffic that is NOT defined in the Static Policy NAT ACL fall to the Static NAT at the bottom
Hope this helps
- Jouni
06-05-2013 01:34 PM
Hi,
I would be interested to seeing the "packet-tracer" output and the actual command used.
NAT0 configurations should always come before any other NAT configurations.
Can you also share the 2 NAT configurations you mention.
- Jouni
06-05-2013 09:45 PM
[sensitive information redacted in the below output]
nat (if001) 0 access-list if001_nat0_outbound
nat (if001) 4 access-list if001_nat_outbound
nat (if001) 3 10.0.0.0 255.0.0.0
global (Outside) 3 e.f.g.h netmask 255.255.255.0
global (Outside) 4 a.b.c.d netmask 255.255.255.0
---------------------------------------------------------------------------------------------
asa001# packet-tracer input if001 tcp 10.10.10.10 1099 w.x.y.z http
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group if001_access_in in interface if001
access-list if001_access_in extended permit object-group DM_INLINE_SERVICE_1 10.0.0.0 255.0.0.0 any
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object udp eq ntp
Additional Information:
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map global-class
match any
policy-map global_policy
description Limit_Conn
class global-class
set connection advanced-options TCPOPT
service-policy global_policy global
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip if001 10.0.0.0 255.0.0.0 Outside host w.x.y.z
NAT exempt
translate_hits = 320, untranslate_hits = 0
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (if001) 4 access-list if001_nat_outbound
match ip if001 10.0.0.0 255.0.0.0 Outside a.b.c.128 255.255.255.192
dynamic translation to pool 4 (a.b.c.88)
translate_hits = 477883, untranslate_hits = 22
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (if001) 4 access-list if001_nat_outbound
match ip if001 10.0.0.0 255.0.0.0 Outside a.b.c.128 255.255.255.192
dynamic translation to pool 4 (a.b.c.88)
translate_hits = 477883, untranslate_hits = 22
Additional Information:
Phase: 10
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2056717033, packet dispatched to next module
Result:
input-interface: if001
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
06-05-2013 11:42 PM
Hi,
To me the "packet-tracer" output seems to state that the Dynamic Policy NAT is not applied at all.
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (if001) 4 access-list if001_nat_outbound
match ip if001 10.0.0.0 255.0.0.0 Outside a.b.c.128 255.255.255.192
dynamic translation to pool 4 (a.b.c.88)
translate_hits = 477883, untranslate_hits = 22
Additional Information:
To my understanding, if the above Dynamic Policy PAT was applied you would see the actual translation information on the "Additional Information" section of the output.
Here is an example of one of our 8.2 ASA firewalls when the "packet-tracer" test matches a Dynamic Policy NAT
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (int) 21 access-list
nat-control
match ip int any outside host x.x.x.x
dynamic translation to pool 21 (y.y.y.y)
translate_hits = 2, untranslate_hits = 0
Additional Information:
Dynamic translate a.a.a.a/12345 to y.y.y.y/13091 using netmask 255.255.255.255
I am not sure what the logic with the output of "packet-tracer" is sometimes BUT it seems to list the NAT configurations that match the source address even if they are NOT applied in this very case.
Though in this case you say that you are still seing the traffic coming with the Dynamic Policy PAT. I am not 100% sure how the ASA reacts when you configure different type of NAT configurations in different order. It was not that uncommon a few years back when I didnt remember to clear the xlate for some device and wondered why some NAT didnt work how it was supposed to.
Also, Just to make sure, are your NAT0 and Dynamic Policy PAT ACLs identical? And if they are is there really use for the other one of them?
- Jouni
06-06-2013 12:03 AM
You are correct, it isn't actually getting natted. I did a packet capture on an intermediate device after the firewall, and saw the non-natted address.
This is only working due to some funky routing we have between the load balancers and web farm, and the packet tracer output was throwing me off.
Now this brings me to another question:
If I have a static NAT:
1.1.1.1 ---- 2.2.2.2
But I want 1.1.1.1 to NAT to a specific IP (3.3.3.3) when connecting to 3.3.0.0 (instead of using 2.2.2.2) - how do I get the dynamic policy NAT rule to nat to 3.3.3.3? It seems as if static always take preference.
Thanks
06-06-2013 12:12 AM
Hi,
The decision which translation is used when we have both Static NAT and Static Policy NAT between the same interfaces comes down to the order of the "static" commands. And the old software doesnt really give you much chances to change this without causing atleast a minor distruption to the traffic.
What you would need to do is the following
The purpose of the above is to simply reorder the NAT configuration which you see in CLI format. We first configure the Static Policy NAT which will add it to the very bottom of "static" configurations. When we consider that you probably already had the normal Static NAT configured before this then that means its overriding the Static Policy NAT always since its first in the CLI configuration. We then remove the Static NAT and reinsert the Static NAT which again moves it to the very bottom of the "static" configurations.
After this the Static Policy NAT should be matches first and then rest of the traffic that is NOT defined in the Static Policy NAT ACL fall to the Static NAT at the bottom
Hope this helps
- Jouni
06-06-2013 12:30 AM
Thanks, that is very helpful. I see later versions (8.3+) allow reordering of these rules. We will be upgrading sometime in the not-too-distant future and then we will have this functionality. Right now, the config is working so I won't risk deleting/readding the rules.
06-06-2013 12:40 AM
Hi,
Yes, the new software gives changes to insert the NAT to a certain spot in the configuration without removing anything. But there are 2 different types of NAT configurations. Manual NAT / Twice NAT is something that you can order manually. Network Object NAT however doesnt give this option but rather changes the order depending on the inserted configuration. Though it still gives you a change to affect the order a bit.
If you are interested in having looking some basic information about the new 8.3+ NAT format, then have a look at a document I made on the CSC about it
https://supportforums.cisco.com/docs/DOC-31116
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide