Solved: NAT statement question

jjoseph01 · ‎01-07-2013

Hi all. I have a nat question for everyone to help me understand some syntax. I have the following example and then my question:

Example: nat (outside,outside) source dynamic obj-10.10.10.0 interface destination static obj-2.2.2.0 obj-2.2.2.0

Im trying to understand this statement. I cant seem to find an explanation in laymans terms that I fully understand, and Im not loving the new command for a NAT translation. In this example, I have a vpn client that needs access to a public IP address. I used 2.2.2.0 as an example network. I used 10.10.10.0 as the remote-access clients. Can someone explain to me this syntax? It used to be two objects and now its four. I get the 'nat' and '(outside,outside)' commands, but if someone could explain the rest of the commands I would appreciate it very much. Thank you in advance for your help.

Jouni Forss · ‎01-07-2013

Hi,

The above NAT configuration would achieve the following

It would do NAT for traffic entering and leaving the "outside" interface
- It would also require the configuration "same-security-traffic permit intra-interface" for the traffic to go out the same interface it arrived from.
It will PAT the traffic for source addresses in "obj-10.10.10.0" to the "outside" interface IP address
It will do the above ONLY WHEN the destination address is "obj-2.2.2.0"
- The "obj-2.0.0.0" is listed twice because you could NAT the destination also. In this case because its the same object twice, no NAT will be done for the destination. It stayst the same

This would seem like a NAT for VPN Client users to be able to access the Internet through the Firewall/VPN device they are connected to. Which would probably also mean that the VPN Client type is Full Tunnel instead of Split tunnel. (EDIT: Now that I think of it this wouldnt necesarily be the case )

Please rate if the information was helpfull and/or ask more questions

- Jouni

View solution in original post

jjoseph01 · ‎01-07-2013

By the way, as Im sure you all know, this is the ASA 8.3 code oand later.

Jouni Forss · ‎01-07-2013

Hi,

The above NAT configuration would achieve the following

It would do NAT for traffic entering and leaving the "outside" interface
- It would also require the configuration "same-security-traffic permit intra-interface" for the traffic to go out the same interface it arrived from.
It will PAT the traffic for source addresses in "obj-10.10.10.0" to the "outside" interface IP address
It will do the above ONLY WHEN the destination address is "obj-2.2.2.0"
- The "obj-2.0.0.0" is listed twice because you could NAT the destination also. In this case because its the same object twice, no NAT will be done for the destination. It stayst the same

This would seem like a NAT for VPN Client users to be able to access the Internet through the Firewall/VPN device they are connected to. Which would probably also mean that the VPN Client type is Full Tunnel instead of Split tunnel. (EDIT: Now that I think of it this wouldnt necesarily be the case )

Please rate if the information was helpfull and/or ask more questions

- Jouni

jjoseph01 · ‎01-07-2013

Awesome answer, and I fully understand it now. Thank you. So, I have another two questions concerning this.

1. Is this called "twice NAT" or "network object NAT"?

2. If the destinationA is different than destinationB, is that what "twice NAT" is?

3. If its destinationA is the same as destinationB, is that what "network object NAT" is?

Thanks again for your help.

Jouni Forss · ‎01-07-2013

And to further clarify the meaning of the syntax refer to the below configuration

nat (inside,outside) source static LAN-LOCAL LAN-NATTED destination static REMOTE-NATTED REMOTE-LOCAL

Where

LAN-LOCAL would be an object/object-group containing the IP addresses that are local and in other words NOT NAT addresses
LAN-NATTED would be an object/object-group containing the IP addresses that LAN-LOCAL are NATed to
REMOTE-NATTED would be an object/object-group containing NATed IP addresses for the real IP addresses contained in REMOTE-LOCAL

Now as you can see the above has a "source static" start instead of your above "source dynamic". In the case of "source static" the host/network address contained in LAN-LOCAL would be NATed to a another NAT host/network address 1:1.

While in the case of "source dynamic" your source object LAN-LOCAL addresses would probably be NATed to either interface IP address using the "interface" parameter or you might aswell use an object to define the IP address or even IP address pool/range to which the source addresses are PATed / NATed to.

- Jouni

Jouni Forss · ‎01-07-2013

And the actual answer to your second question.

Yes, the above NAT is Twice NAT. Is belongs to the NAT rules that are gone through first by the ASA

And Example of Object NAT could be

object network DEFAULT-PAT

subnet 10.10.10.0 255.255.255.0

nat (inside,outside) dynamic interface

Where

DEFAULT-PAT is a descriptive name of the objects purpose
"subnet" defines the network under object and also in this case the source address for the NAT
"nat" defines the actual NAT
- source interrface
- destination interface
- NAT type (static/dynamic)
- IP address (or "interface" if used)

objec network STATIC

host 10.10.10.100

nat (inside,outside) static 1.2.3.4 dns

DEFAULT-PAT is a descriptive name of the objects purpose
"host" defines the host IP address under object and also in this case the source address for the NAT
"nat" defines the actual NAT
- source interrface
- destination interface
- NAT type (static/dynamic)
- IP address (or "interface" if used)
- "dns" enabled the users from the local LAN (10.10.10.x/yy) to connect to the this local host using the public DNS name provided the ASA can see their DNS query.

Notice that "object network" can only contain ONE host/subnet/range

I would therefore suggest using "object-group" while configuring Default PAT for your LAN networks

object-group network DEFAULT-PAT-SOURCE

description Source Networks for PAT

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Where

DEFAULT-PAT-SOURCE "object-group" defines the source addresses for the PAT configuration. If you configure a new LAN network you can just add the network under the "object-group" and it will be set for Default PAT.
"after-auto" moves the NAT rule to Section 3 which in other words means the last rules to be gone through by the ASA when checking for suitable translation for the traffic

Hopefully the above clarified the situation a bit. The new NAT format can be pain in the start. I got to admit while its easier now for me personally I still miss the simplicity of the old NAT in certain cases/enviroments.

Don't be afraid to rate if the information was helpfull

I must have consumed too much coffee again when I look how much I wrote again

- Jouni

Jouni Forss · ‎01-07-2013

Oh and forgot to copy/past this

It describes the order of NAT rules in the new software 8.3 and above

NAT Rule Order

Network object NAT rules and twice NAT rules are stored in a single table that is divided into three sections. Section 1 rules are applied first, then section 2, and finally section 3. Table 27-1 shows the order of rules within each section.

Table 27-1 NAT Rule Table
Table Section	Rule Type	Order of Rules within the Section
Section 1	Twice NAT	Applied on a first match basis, in the order they appear in the configuration. By default, twice NAT rules are added to section 1. Note If you configure VPN, the client dynamically adds invisible NAT rules to the end of this section. Be sure that you do not configure a twice NAT rule in this section that might match your VPN traffic, instead of matching the invisible rule. If VPN does not work due to NAT failure, consider adding twice NAT rules to section 3 instead.
Section 2	Network object NAT	Section 2 rules are applied in the following order, as automatically determined by the adaptive security appliance: 1. Static rules. 2. Dynamic rules. Within each rule type, the following ordering guidelines are used: a. Quantity of real IP addresses—From smallest to largest. For example, an object with one address will be assessed before an object with 10 addresses. b. For quantities that are the same, then the IP address number is used, from lowest to highest. For example, 10.1.1.0 is assessed before 11.1.1.0. c. If the same IP address is used, then the name of the network object is used, in alphabetical order. For example, abracadabra is assessed before catwoman.
Section 3	Twice NAT	Section 3 rules are applied on a first match basis, in the order they appear in the configuration. You can specify whether to add a twice NAT rule to section 3 when you add the rule.

For section 2 rules for example, you have the following IP addresses defined within network objects:

192.168.1.0/24 (static)

192.168.1.0/24 (dynamic)

10.1.1.0/24 (static)

192.168.1.1/32 (static)

172.16.1.0/24 (dynamic) (object def)

172.16.1.0/24 (dynamic) (object abc)

The resultant ordering would be:

192.168.1.1/32 (static)

10.1.1.0/24 (static)

192.168.1.0/24 (static)

172.16.1.0/24 (dynamic) (object abc)

172.16.1.0/24 (dynamic) (object def)

192.168.1.0/24 (dynamic)

Link to ths ource document (Configuration Guide for software 8.3)

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1118157

- Jouni

jjoseph01 · ‎01-07-2013

Ok, quick question on that. I like this example:

nat (inside,outside) source static LAN-LOCAL LAN-NATTED destination static REMOTE-NATTED REMOTE-LOCAL

But one last question here. On the REMOTE-NATTED REMOTE-LOCAL, Im guessing that is not backwards but really the syntax. I just notice that on the LAN-LOCAL LAN-NATTED, its vice versa. Is that correct? Thats a little confusing.

Jouni Forss · ‎01-07-2013

Hi,

Yes that is the order always

You can check this by simply starting to write the command on your ASA command line interface and using "?" after each parameter and the ASA will give a little description of the available configurations possibilities

For example if I try to enter that NAT configuration to my own ASA in and check the "?" help in between the parameters

First Object/Object-group

ASA(config)# nat (LAN,WAN) source static ?

configure mode commands/options:

WORD Specify object or object-group name for real source

Second Object/Object-group

ASA(config)# nat (LAN,WAN) source static LAN-LOCAL ?

configure mode commands/options:

WORD Specify object or object-group name for mapped source

Third Object/Object-group

ASA(config)# nat (LAN,WAN) source static LAN-LOCAL LAN-NATTED destination static ?

configure mode commands/options:

WORD Specify object or object-group name for mapped destination

Fourth Object/Object-group

ASA(config)# nat (LAN,WAN) source static LAN-LOCAL LAN-NATTED destination static REMOTE-NATTED ?

configure mode commands/options:

WORD Specify object or object-group name for real destination

I got to admit that I VERY RARELY use NAT for the destination networks. Usually there is only need to define NAT for the source address/addresses in the first object/object-group and in that case the identical objects/object-groups in the destination just tell for what destination networks the NAT should be performed. In that case it behaves pretty much like the 8.2 and below softwares Policy NAT (defines source and destination network pairs for which the NAT/PAT in question needs to be performed)

- Jouni

jjoseph01 · ‎01-07-2013

Thank you Jouni. Excellent info you have given. I have certainly learned something today.