cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1131
Views
10
Helpful
7
Replies

Quick check of Twice NAT understanding..

aLeffingwell
Level 1
Level 1

Hi All,

I'm working on a project and it's got me wading through miles of manual NAT (twice NAT) statements in an ASA 5510.. I'm looking at these things and going: WHY did this guy use twice NAT with destination?? .. here's a sample:

Manual NAT Policies (Section 1)

1 (Voice) to (outside) source static obj-10.2.100.0 obj-10.2.100.0 destination static obj-10.10.10.0 obj-10.10.10.0

    translate_hits = 864, untranslate_hits = 259907

2 (Inside) to (outside) source static obj-172.16.0.0 obj-172.16.0.0 destination static obj-10.10.10.0 obj-10.10.10.0

    translate_hits = 24803, untranslate_hits = 1166570

3 (Inside) to (outside) source static obj-10.132.0.0 obj-10.132.0.0 destination static obj-10.10.10.0 obj-10.10.10.0

    translate_hits = 3160, untranslate_hits = 125382

4 (Inside) to (outside) source static obj-172.16.0.0 obj-172.16.0.0 destination static obj-10.1.128.0 obj-10.1.128.0

    translate_hits = 0, untranslate_hits = 0


What I see a really overly complicated identity NAT.. I can respect wanting to use twice NAT rather than inlining everything with object NAT.. but as for the destination end of things?? Could I not clean most of these up with:

(real_interface) to (mapped_interface) source static obj-somesubnet obj-somesubnet

And call it a day??  Also - we only have two subnets in this office.. so if there were no other translations really taking place but some interface PAT in section 2.. could I not clean this entire table up (assuming our two subnets are: 172.16.0.0/16 and 10.2.100.0/24) with:

(real_int) to (mapped_int) source static obj-172.16.0.0 obj-172.16.0.0

(real_int) to (mapped_int) source static obj-10.2.100.0 obj-10.2.100.0

If I understand correctly - there should be no reason to have multiple destination NAT statements that have the same sources if they're just mapping the destination to itself (even if they are different destinations)??  What would be a scenario when you would want to do that?

What are some other reasons why the previous engineer would've felt the need to do this?? Are there other configuration elements that would translate an address outside of what is in NAT??

I know those are a lot of questions, but I'm very much looking forward to feedback on this!

Kindest Regards,

ALAN

1 Accepted Solution

Accepted Solutions