Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1163
Views
0
Helpful
7
Replies

Need some help with a fundamental concept of nat'ing/routing

paulbatte
Level 1
Level 1

‎05-04-2012 08:38 AM - edited ‎03-11-2019 04:02 PM

I have the following code on an ASA5500 pair with very down-level code. 7.1.2.

Here is a snippet of the ruleset:


interface GigabitEthernet0/1.40
description Production Servers Network
vlan 40
nameif Production
security-level 40
ip address 172.20.0.1 255.255.0.0 standby 172.20.0.2

access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.20.0 255.255.255.0

nat (Production) 0 access-list no-nat

Am I correct in believing all traffic sourced from the 192.168.3.0 and 172.20.0.0 networks  coming in via the Production interface will NOT be Nat'ed.

My next question is will that traffic be routed through that interface Production using  the original IP addresses, or will that traffic NOT be routed anywhere?

I don't want that traffic to be routed, but am concerned since these access list commands permit IP traffic between the networks, this traffic will be routed.

Labels:
0 Helpful
7 Replies 7

Dan-Ciprian Cicioiu
Level 7
Level 7

‎05-04-2012 09:19 AM

Hi Paul,

As you already said the traffic matched by the access-list will not be NATed, so this means that it will pass without any IP source change.

Depending on your routing table but also your access-list on, that traffic will be routed and permited.

If you have a an access-list applied on the Production interface that allows host from 182.168.3.0/24 to access 192.168.20.0/24 and 172.20.0.0/16 to access 192.168.20.0/24 , then the destination of the packet will be check in the routing table.

So this access-list will only allow traffic to pass without doing source nat to it.

Dan

0 Helpful

PAUL GILBERT ARIAS
Level 5
Level 5

‎05-04-2012 09:20 AM

You are right on your first question.

The traffic will flow with the real IP coming from the source networks located behind the interface called Production to the destination network 192.168.20.0/24. Routing will always need to be done in order to be able to get to the destination. And the destination network needs to know how to get to the source addresses.

Is this clear?

0 Helpful

paulbatte
Level 1
Level 1

‎05-04-2012 11:08 AM

Thanks for responses, but they confuse me more.

It is not your answers causing my confusion, but the firewall rules I am trying to apply to this.

From what you are saying, traffic WILL flow from the 192.168.3.0 network to the 192.168.20.0 network, flowing through the Production interface. It won't be Nat'ed, but it will route because the access list explicitly allows IP traffic sourced  from the 192.168.3.0 network to reach the 192.168.20.0 network.

However, this is not what is currently happening in the networks, as far as I have been told.

Let me add more lines of code to the problem, and give my interpretation, and you can tell me where I am going wrong.

1. There is no access list explictly associated with the Production interface, as can be seen through the definition in my first post.

2. More complete code:

object-group network network_vpn

description VPN IP's

network-object 192.168.2.0 255.255.255.0

network-object 192.168.3.0 255.255.255.0

access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 172.20.0.0 255.255.0.0

access-list no-nat extended permit ip object-group network_vpn 172.20.0.0 255.255.0.0

access-list no-nat extended permit ip object-group network_vpn 192.168.20.0 255.255.255.0

access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.20.0 255.255.255.0

access-list no-nat extended permit ip 192.168.2.0  255.255.255.0 172.20.0.0 255.255.0.0

access-list no-nat extended permit ip 192.168.0.0 255.255.0.0 172.20.0.0 255.255.0.0

access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.2.0 255.255.255.0

access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 172.20.0.0 255.255.0.0

access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (Production) 0 access-list no-nat

nat (Production) 0 access-list Production_nat0_inbound outside

nat (Production) 1 172.20.0.0 255.255.0.0

Use the 3rd last line in the access-list no-nat commands as an example.

As I envision this, if I have a network sourced as 192.168.3.0, coming in through the Production interface, IP traffic can reach the 172.20.0.0 network, albeit through not NAT'ed, but with the original IP addreses, assuming routing is configured between these networks? I guess my related question would be is routing not implictly turned on between these networks?

3. Also, I think several lines of this access rule are redundant, given the network object covers the 192.168.2.0 and 192.168.3.0 networks.

0 Helpful

Dan-Ciprian Cicioiu
Level 7
Level 7
In response to paulbatte

‎05-04-2012 12:58 PM

Paul ,

1) please post : show run access-group

2) Let's take "nat (Production) 0 access-list no-nat"

    this nat command will :

               - match the source and destination on the access-list

               - match the packets source from Production with the source that apears in the acl

   In my optinion I do not think that your acl-lines will be match by this nat exemption , because 192.168.3.0 or 192.168.2.0 are not behaind the Production interface - please correct me if I'm wrong.If this is the case then I belive that the only line that makes sens in the acl is ip 172.20.0.0 255.255.0.0 192.168.0.0.

This has nothing to do with the acl applied on the interface, for filtering purpose.

Dan

0 Helpful

paulbatte
Level 1
Level 1
In response to Dan-Ciprian Cicioiu

‎05-04-2012 01:28 PM

Hi Dan:

I have requested the output of that command.

In the meantime, I guess a very fundamental question I still have is this:

In general terms, if a packet encounters a "nat 0" access list on an interface, and it meets the conditions you described in point #2 above, I know it won't NAT, but will it route using the permit rules in the access list?

Paul

0 Helpful

Dan-Ciprian Cicioiu
Level 7
Level 7
In response to paulbatte

‎05-04-2012 01:34 PM

Paul ,

Without any doubt the permision will be checked against the access-list applied ( in or out direction depending on the direction and interface applied )

If for example you have an acl applied on the in direction of the Production denying all the traffic that you exempt from nat, it will for sure be droped and the nat exemption will not matter.

Dan

0 Helpful

paulbatte
Level 1
Level 1
In response to Dan-Ciprian Cicioiu

‎05-07-2012 07:29 AM

Hi Dan:

This is the result of the show show run access-group  command.

FW02# show run access-group

access-group   Primary_Public_access_in_tmp in interface Primary_Public

access-group   FW_LANx_in in interface LANx

access-group FW_VPN_Touchdown_in in   interface FW_VPN_Touchdown

I know for certain that  the FW_VPN_Touchdown is no longer in use.

Is the  purpose of this command to show only the access lists that are tied to  an interface?

If so, I am even more confused, as the access list  no-nat then does not appear to be used.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card