Solved: NAT rules on 9.1 code

Jack Leung · ‎06-18-2013

Hi all,

In a case where my pre 8.3 NAT rules are as follows where I am NATing source IPs with their original IPs to get communication going between these various DMZs.

static (INSIDE,DMZ1) 10.10.0.0 10.10.0.0 netmask 255.255.255.0

static (INSIDE,DMZ2) 10.10.0.0 10.10.0.0 netmask 255.255.255.0

How do I build the NAT rule if I have multiple instances of the source IPs? Is this the proper method?

object network obj-10.10.0.0

subnet 10.10.0.0

nat (Inside,DMZ1) static obj-10.10.0.0

nat (Inside,DMZ2) after-auto 1 source static obj-172.30.10.0 obj-172.30.10.0 no-proxy-arp

Jouni Forss · ‎06-18-2013

Hi,

Traffic will go through the interfaces even without NAT configurations provided that the traffic is allowed. If you only have "security-level" configurations handling that then naturally traffic can go from HIGHER to LOWER "security-level" interfaces. If you have allowed the traffic with ACL then connections can be formed in either direction.

In the very basic (and very complex) firewall configurations I dont really configure NAT between the local LAN and DMZ interfaces. The most common places where you would be configuring NAT is towards the WAN interface of the ASA and if you happen to have for example some DMZ interface that lead to some 3rd party network.

So lets say you have the following

2 LAN interfaces called "lan-1" and "lan-2"
LAN networks are 10.10.10.0/24 and 10.10.20.0/24
2 DMZ interfaces called "dmz-1" and "dmz-2"
DMZ networks are 192.168.10.0/24 and 192.168.20.0/24
1 WAN interface called "wan"

Then if you want to have

Dynamic PAT for all the LANs and DMZs towards WAN
1 Static NAT from each DMZ to the WAN

Then you could simply configure this

The below configuration would handle Dynamic PAT for all of your local networks

object-group DEFAULT-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

network-object 192.168.20.0 255.255.255.0

nat (any,wan) after-auto source dynamic DEFAULT-PAT-SOURCE interface

The below configuration would create 2 Static NAT configurations. 1 for each DMZ

object network WEB

host 192.168.10.10

nat (dmz-1,wan) static 1.1.1.1

object network MAIL

host 192.168.20.20

nat (dmz-2,wan) static 1.1.1.2

Now provided you dont want any NAT between your local interfaces (LANs and DMZs) then you could simply just use the above NAT configurations. The local intefaces/networks could connect to eachother without any NAT configurations. The main deciding factor would be the interface ACLs

Hope this helps

Please do mark the reply as the correct answer if it answered your question.

Naturally ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎06-18-2013

Hi,

In the new software levels 8.3+ if you dont specifically want to NAT connections between your local interfaces then you can LEAVE OUT all NAT configurations between them.

There is no more "nat-control" so NO NAT is required between the different interfaces and networks behind them unless you specifically want to.

Naturally if you have for some reason Dynamic NAT/PAT configurations between local interface that accept any source IP address/network then you might need an Static Identity NAT such as you mention above with the old NAT format.

So unless you specifically need to NAT something between interfaces or you need to override some other rule between the local interfaces then you simply dont need to configure NAT.

- Jouni

Jack Leung · ‎06-18-2013

Thanks, JouniForss. So even if different security levels communication can still occur between different interfaces as long as there's an access-list to allow it?

Jouni Forss · ‎06-18-2013

Hi,

Traffic will go through the interfaces even without NAT configurations provided that the traffic is allowed. If you only have "security-level" configurations handling that then naturally traffic can go from HIGHER to LOWER "security-level" interfaces. If you have allowed the traffic with ACL then connections can be formed in either direction.

In the very basic (and very complex) firewall configurations I dont really configure NAT between the local LAN and DMZ interfaces. The most common places where you would be configuring NAT is towards the WAN interface of the ASA and if you happen to have for example some DMZ interface that lead to some 3rd party network.

So lets say you have the following

2 LAN interfaces called "lan-1" and "lan-2"
LAN networks are 10.10.10.0/24 and 10.10.20.0/24
2 DMZ interfaces called "dmz-1" and "dmz-2"
DMZ networks are 192.168.10.0/24 and 192.168.20.0/24
1 WAN interface called "wan"

Then if you want to have

Dynamic PAT for all the LANs and DMZs towards WAN
1 Static NAT from each DMZ to the WAN

Then you could simply configure this

The below configuration would handle Dynamic PAT for all of your local networks

object-group DEFAULT-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

network-object 192.168.20.0 255.255.255.0

nat (any,wan) after-auto source dynamic DEFAULT-PAT-SOURCE interface

The below configuration would create 2 Static NAT configurations. 1 for each DMZ

object network WEB

host 192.168.10.10

nat (dmz-1,wan) static 1.1.1.1

object network MAIL

host 192.168.20.20

nat (dmz-2,wan) static 1.1.1.2

Now provided you dont want any NAT between your local interfaces (LANs and DMZs) then you could simply just use the above NAT configurations. The local intefaces/networks could connect to eachother without any NAT configurations. The main deciding factor would be the interface ACLs

Hope this helps

Please do mark the reply as the correct answer if it answered your question.

Naturally ask more if needed

- Jouni

Jack Leung · ‎06-18-2013

Ahh awesome. Thanks.