Solved: NAT question (ASA 8.2)

osiristrading · ‎06-05-2013

Hi everyone

Hoping someone can clear this up for me, as it's working but I have no idea why.

we have a nat exemption rule for 10.0.0.0/8 to w.x.y.z

followed by some static nat rules

and then

dynamic policy nat rule for 10.0.0.0/8 to w.x.y.z natting to IP a.b.c.d

When I do a packet trace from 10.10.10.10 to w.x.y.z, it shows the packet first matching against the nat exemption rule, and then immediately afterwards it matches the dynamic policy NAT rule. The static nat rules are being successfully bypassed (which is what I want), but why does the dynamic policy nat rule apply if an exempt rule has been hit already? Is this by design?

An actual test between the IPs above reflects the result of the packet tracer as well (IP a.b.c.d is seen on server w.x.y.z).

We are running the following software on an ASA5520:

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 6.4(7)

Any ideas?

Thanks

A

Jouni Forss · ‎06-05-2013

Hi,

To me the "packet-tracer" output seems to state that the Dynamic Policy NAT is not applied at all.

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (if001) 4 access-list if001_nat_outbound

match ip if001 10.0.0.0 255.0.0.0 Outside a.b.c.128 255.255.255.192

dynamic translation to pool 4 (a.b.c.88)

translate_hits = 477883, untranslate_hits = 22

Additional Information:

To my understanding, if the above Dynamic Policy PAT was applied you would see the actual translation information on the "Additional Information" section of the output.

Here is an example of one of our 8.2 ASA firewalls when the "packet-tracer" test matches a Dynamic Policy NAT

Phase: 9

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (int) 21 access-list

nat-control

match ip int any outside host x.x.x.x

dynamic translation to pool 21 (y.y.y.y)

translate_hits = 2, untranslate_hits = 0

Additional Information:

Dynamic translate a.a.a.a/12345 to y.y.y.y/13091 using netmask 255.255.255.255

I am not sure what the logic with the output of "packet-tracer" is sometimes BUT it seems to list the NAT configurations that match the source address even if they are NOT applied in this very case.

Though in this case you say that you are still seing the traffic coming with the Dynamic Policy PAT. I am not 100% sure how the ASA reacts when you configure different type of NAT configurations in different order. It was not that uncommon a few years back when I didnt remember to clear the xlate for some device and wondered why some NAT didnt work how it was supposed to.

Also, Just to make sure, are your NAT0 and Dynamic Policy PAT ACLs identical? And if they are is there really use for the other one of them?

- Jouni

View solution in original post

Jouni Forss · ‎06-06-2013

Hi,

The decision which translation is used when we have both Static NAT and Static Policy NAT between the same interfaces comes down to the order of the "static" commands. And the old software doesnt really give you much chances to change this without causing atleast a minor distruption to the traffic.

What you would need to do is the following

Configure the Static Policy NAT like usual
Remove the Static NAT
Add the Static NAT again

The purpose of the above is to simply reorder the NAT configuration which you see in CLI format. We first configure the Static Policy NAT which will add it to the very bottom of "static" configurations. When we consider that you probably already had the normal Static NAT configured before this then that means its overriding the Static Policy NAT always since its first in the CLI configuration. We then remove the Static NAT and reinsert the Static NAT which again moves it to the very bottom of the "static" configurations.

After this the Static Policy NAT should be matches first and then rest of the traffic that is NOT defined in the Static Policy NAT ACL fall to the Static NAT at the bottom

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎06-05-2013

Hi,

I would be interested to seeing the "packet-tracer" output and the actual command used.

NAT0 configurations should always come before any other NAT configurations.

Can you also share the 2 NAT configurations you mention.

- Jouni

osiristrading · ‎06-05-2013

[sensitive information redacted in the below output]

nat (if001) 0 access-list if001_nat0_outbound

nat (if001) 4 access-list if001_nat_outbound

nat (if001) 3 10.0.0.0 255.0.0.0

global (Outside) 3 e.f.g.h netmask 255.255.255.0

global (Outside) 4 a.b.c.d netmask 255.255.255.0

---------------------------------------------------------------------------------------------

asa001# packet-tracer input if001 tcp 10.10.10.10 1099 w.x.y.z http

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 Outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group if001_access_in in interface if001

access-list if001_access_in extended permit object-group DM_INLINE_SERVICE_1 10.0.0.0 255.0.0.0 any

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object tcp eq www

service-object tcp eq https

service-object tcp eq ftp

service-object tcp eq ftp-data

service-object udp eq ntp

Additional Information:

Phase: 4

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map global-class

match any

policy-map global_policy

description Limit_Conn

class global-class

set connection advanced-options TCPOPT

service-policy global_policy global

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip if001 10.0.0.0 255.0.0.0 Outside host w.x.y.z

NAT exempt

translate_hits = 320, untranslate_hits = 0

Additional Information:

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (if001) 4 access-list if001_nat_outbound

match ip if001 10.0.0.0 255.0.0.0 Outside a.b.c.128 255.255.255.192

dynamic translation to pool 4 (a.b.c.88)

translate_hits = 477883, untranslate_hits = 22

Additional Information:

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (if001) 4 access-list if001_nat_outbound

match ip if001 10.0.0.0 255.0.0.0 Outside a.b.c.128 255.255.255.192

dynamic translation to pool 4 (a.b.c.88)

translate_hits = 477883, untranslate_hits = 22

Additional Information:

Phase: 10

Type: IDS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 12

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 13

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2056717033, packet dispatched to next module

Result:

input-interface: if001

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: allow

Jouni Forss · ‎06-05-2013

Hi,

To me the "packet-tracer" output seems to state that the Dynamic Policy NAT is not applied at all.

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (if001) 4 access-list if001_nat_outbound

match ip if001 10.0.0.0 255.0.0.0 Outside a.b.c.128 255.255.255.192

dynamic translation to pool 4 (a.b.c.88)

translate_hits = 477883, untranslate_hits = 22

Additional Information:

To my understanding, if the above Dynamic Policy PAT was applied you would see the actual translation information on the "Additional Information" section of the output.

Here is an example of one of our 8.2 ASA firewalls when the "packet-tracer" test matches a Dynamic Policy NAT

Phase: 9

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (int) 21 access-list

nat-control

match ip int any outside host x.x.x.x

dynamic translation to pool 21 (y.y.y.y)

translate_hits = 2, untranslate_hits = 0

Additional Information:

Dynamic translate a.a.a.a/12345 to y.y.y.y/13091 using netmask 255.255.255.255

I am not sure what the logic with the output of "packet-tracer" is sometimes BUT it seems to list the NAT configurations that match the source address even if they are NOT applied in this very case.

Though in this case you say that you are still seing the traffic coming with the Dynamic Policy PAT. I am not 100% sure how the ASA reacts when you configure different type of NAT configurations in different order. It was not that uncommon a few years back when I didnt remember to clear the xlate for some device and wondered why some NAT didnt work how it was supposed to.

Also, Just to make sure, are your NAT0 and Dynamic Policy PAT ACLs identical? And if they are is there really use for the other one of them?

- Jouni

osiristrading · ‎06-06-2013

You are correct, it isn't actually getting natted. I did a packet capture on an intermediate device after the firewall, and saw the non-natted address.

This is only working due to some funky routing we have between the load balancers and web farm, and the packet tracer output was throwing me off.

Now this brings me to another question:

If I have a static NAT:

1.1.1.1 ---- 2.2.2.2

But I want 1.1.1.1 to NAT to a specific IP (3.3.3.3) when connecting to 3.3.0.0 (instead of using 2.2.2.2) - how do I get the dynamic policy NAT rule to nat to 3.3.3.3? It seems as if static always take preference.

Thanks

Jouni Forss · ‎06-06-2013

Hi,

The decision which translation is used when we have both Static NAT and Static Policy NAT between the same interfaces comes down to the order of the "static" commands. And the old software doesnt really give you much chances to change this without causing atleast a minor distruption to the traffic.

What you would need to do is the following

Configure the Static Policy NAT like usual
Remove the Static NAT
Add the Static NAT again

The purpose of the above is to simply reorder the NAT configuration which you see in CLI format. We first configure the Static Policy NAT which will add it to the very bottom of "static" configurations. When we consider that you probably already had the normal Static NAT configured before this then that means its overriding the Static Policy NAT always since its first in the CLI configuration. We then remove the Static NAT and reinsert the Static NAT which again moves it to the very bottom of the "static" configurations.

After this the Static Policy NAT should be matches first and then rest of the traffic that is NOT defined in the Static Policy NAT ACL fall to the Static NAT at the bottom

Hope this helps

- Jouni

osiristrading · ‎06-06-2013

Thanks, that is very helpful. I see later versions (8.3+) allow reordering of these rules. We will be upgrading sometime in the not-too-distant future and then we will have this functionality. Right now, the config is working so I won't risk deleting/readding the rules.

Jouni Forss · ‎06-06-2013

Hi,

Yes, the new software gives changes to insert the NAT to a certain spot in the configuration without removing anything. But there are 2 different types of NAT configurations. Manual NAT / Twice NAT is something that you can order manually. Network Object NAT however doesnt give this option but rather changes the order depending on the inserted configuration. Though it still gives you a change to affect the order a bit.

If you are interested in having looking some basic information about the new 8.3+ NAT format, then have a look at a document I made on the CSC about it

https://supportforums.cisco.com/docs/DOC-31116

- Jouni