Solved: Overcoming Identity NAT in 8.3

jpaykoc2910 · ‎03-09-2011

Forum,

I'm working on a large deployment with multiple ASA interfaces with numerous subnets behind eash interface. The subnets are not contigous. The problem we have had in the past is that in order to traverse ASA interfaces with the NAT untouched, we need to create identity NATs everywhere (over 500 statements on a single firewall). Cisco sales suggested we try this command to ovoid this;

nat (any,any) after-auto source static any any description Identity NAT

But when it is enabled the ASA doesn't perform NAT on any interface, even outbound (we want to apply a global IP outbound with our global pool). I do a show xlate global 67.10.10.10 and no translations show up. After I disable the above command, no

nat (any,any) after-auto source static any any description Identity NAT I see entries in the XLATE table. On the outside device (router at 8.8.8.1) I confirm this by doing a show user to see what IP is telneted through the far end.

Does anyone have any other suggestions on how to avoid creating these numerous identity NAT statements with 8.3?

Here is an example of 8.2 identity NAT for reference.

static (inside,DMZ1) 10.60.2.0 10.60.2.0 netmask 255.255.255.0
static (inside,DMZ2) 10.60.3.0 10.60.3.0 netmask 255.255.255.0
static (inside,DMZ3) 10.60.4.0 10.60.4.0 netmask 255.255.255.0

Here is the snippit of my test lab config running 8.3.

(config)# show run
: Saved
:
ASA Version 8.3(2)
!
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.16.1.80 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.80.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time PDT recurring
dns domain-lookup outside
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list ACL_CUST_OUTSIDE extended permit icmp any any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap notifications
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic 67.10.10.10
nat (any,any) after-auto source static any any description Identity NAT
access-group ACL_CUST_OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
route inside 10.0.0.0 255.0.0.0 10.10.80.2 1

mirober2 · ‎03-10-2011

Hello,

Can you clarify your requirements for this setup? If I understand your post correctly, you want to do a dynamic PAT for all hosts on the inside interface when they go out the outside interface, but no other traffic should be translated. Is that correct?

If that is what you're trying to do, there is no need to setup any identity NAT. There is no concept of NAT control in 8.3 like there was in 8.2, so if traffic does not match a NAT rule, it will not be translated and should be allowed as long as the rest of your security policy allows it as well.

Therefore, you just need to use the dynamic PAT statement and any traffic that does not match that rule will automatically not be translated.

Hope that helps.

-Mike

View solution in original post

mirober2 · ‎03-10-2011

Hello,

Can you clarify your requirements for this setup? If I understand your post correctly, you want to do a dynamic PAT for all hosts on the inside interface when they go out the outside interface, but no other traffic should be translated. Is that correct?

If that is what you're trying to do, there is no need to setup any identity NAT. There is no concept of NAT control in 8.3 like there was in 8.2, so if traffic does not match a NAT rule, it will not be translated and should be allowed as long as the rest of your security policy allows it as well.

Therefore, you just need to use the dynamic PAT statement and any traffic that does not match that rule will automatically not be translated.

Hope that helps.

-Mike

Jay Johnston · ‎03-10-2011

To add to Mike's comments:

Given what you stated about having to employ many NAT rules, and having lots of firewall interfaces, I'm assuming that you have two requirements for this NAT setup:

1) Don't translate any traffic that is destined to any internal network, regardless of the interface (this is what required lots of static lines in previous versions)

2) Translate all traffic going out the outside interface using PAT to a particular global IP address

The problem you were facing before is that the object-nat statement you had said "translate all traffic going out the outside interface to the global IP address" and all traffic going out the outside interface hit that rule; If you had other interfaces on this test firewall, traffic would have traversed those interfaces with no problems, and with no translation, like Mike said. A possible approach you could take is this:

object network obj_any
 subnet 0.0.0.0 0.0.0.0
!
object network obj-10.0.0.0
 subnet 10.0.0.0 255.0.0.0
object network obj-172.16.0.0
 subnet 172.16.0.0 255.240.0.0
object network obj-192.168.0.0
 subnet 192.168.0.0 255.255.0.0
!
object-group network private-networks
 network-object object obj-172.16.0.0
 network-object object obj-10.0.0.0
 network-object object obj-192.168.0.0
!
nat (any,any) source static private-networks private-networks destination static private-networks private-networks
!
object network obj_any
 nat (inside,outside) dynamic interface

This first nat rule "nat (any,any)" makes the firewall NOT translate any traffic sourced from and destined to the private-networks listed in the private-networks object group. You could add subnets to this object group selectively. This rule will match all traffic sent and received between internal subnets, regardless of the interfaces on the firewall that the traffic is traversing. Any traffic that doesn't match rule 1 must be traffic destined to IPs that aren't in your organization, and will fall down and *could* hit rule two:

The second nat rule (the auto nat rule) specifies that any traffic sourced from the inside network, destined to any host on the outside should be translated to the outside interface ip address. You could also make that rule look like this:

object network obj_any

nat (any,outside) dynamic interface

Which would have the effect of ensuring that when any host accessed an IP address on the outside interface that was *NOT* a private address (due to rule #1) the traffic would be translated to the outside interface IP address.

You can use the 'show nat detail' command to view the ordering of the NAT table, and the hits on the translations:

ciscoasa(config)# show nat detail

Manual NAT Policies (Section 1)

1 (any) to (any) source static private-networks private-networks destination static private-networks private-networks

translate_hits = 0, untranslate_hits = 0

Source - Origin: 172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16, Translated: 172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16

Destination - Origin: 172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16, Translated: 172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16

Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic obj_any interface

translate_hits = 0, untranslate_hits = 0

Source - Origin: 0.0.0.0/0, Translated: 14.36.103.9/16

ciscoasa(config)#

jpaykoc2910 · ‎03-10-2011

Mike,

To summarize the answer, yes, you are correct in your assumptions. We want to do a dynamic PAT for all hosts on the inside interface when they go out the outside interface, but no other traffic should be translated.

Once I removed the nat (any,any) after-auto source static any any description Identity NAT command, traffic flows through all interfaces that don't need to be NATed natively. It's built into 8.3 which is very convenient.

"There is no concept of NAT control in 8.3 like there was in 8.2, so if traffic does not match a NAT rule, it will not be translated and should be allowed as long as the rest of your security policy allows it as well."