04-17-2013 12:16 PM - edited 03-11-2019 06:30 PM
Hi All,
I'm working on a project and it's got me wading through miles of manual NAT (twice NAT) statements in an ASA 5510.. I'm looking at these things and going: WHY did this guy use twice NAT with destination?? .. here's a sample:
Manual NAT Policies (Section 1)
1 (Voice) to (outside) source static obj-10.2.100.0 obj-10.2.100.0 destination static obj-10.10.10.0 obj-10.10.10.0
translate_hits = 864, untranslate_hits = 259907
2 (Inside) to (outside) source static obj-172.16.0.0 obj-172.16.0.0 destination static obj-10.10.10.0 obj-10.10.10.0
translate_hits = 24803, untranslate_hits = 1166570
3 (Inside) to (outside) source static obj-10.132.0.0 obj-10.132.0.0 destination static obj-10.10.10.0 obj-10.10.10.0
translate_hits = 3160, untranslate_hits = 125382
4 (Inside) to (outside) source static obj-172.16.0.0 obj-172.16.0.0 destination static obj-10.1.128.0 obj-10.1.128.0
translate_hits = 0, untranslate_hits = 0
What I see a really overly complicated identity NAT.. I can respect wanting to use twice NAT rather than inlining everything with object NAT.. but as for the destination end of things?? Could I not clean most of these up with:
(real_interface) to (mapped_interface) source static obj-somesubnet obj-somesubnet
And call it a day?? Also - we only have two subnets in this office.. so if there were no other translations really taking place but some interface PAT in section 2.. could I not clean this entire table up (assuming our two subnets are: 172.16.0.0/16 and 10.2.100.0/24) with:
(real_int) to (mapped_int) source static obj-172.16.0.0 obj-172.16.0.0
(real_int) to (mapped_int) source static obj-10.2.100.0 obj-10.2.100.0
If I understand correctly - there should be no reason to have multiple destination NAT statements that have the same sources if they're just mapping the destination to itself (even if they are different destinations)?? What would be a scenario when you would want to do that?
What are some other reasons why the previous engineer would've felt the need to do this?? Are there other configuration elements that would translate an address outside of what is in NAT??
I know those are a lot of questions, but I'm very much looking forward to feedback on this!
Kindest Regards,
ALAN
Solved! Go to Solution.
04-17-2013 12:24 PM
Hi,
Well the first thing I see there is that the destination section holds a Private network.
This leads me to believe that there is a L2L VPN and/or VPN Client configured on the ASA.
Since all the NAT configurations have destination interface set to "outside" the NAT applies to traffic heading to Internet (In one form or another)
So if you were to remove the destination network what this would basically do is push all your private network traffic to the Internet without translation and needless to say no connection from those networks to Internet would work anymore.
If you DONT define the destination network, the NAT will apply to ANY destination networks. Therefore the above described situation would happen.
I recently made a NAT 8.3+ document. I am not sure if it would help you at all. I have still to finish it compltely and add more specific sections and explanations (like this situation) but have a look if you want
https://supportforums.cisco.com/docs/DOC-31116
- Jouni
04-17-2013 12:24 PM
Hi,
Well the first thing I see there is that the destination section holds a Private network.
This leads me to believe that there is a L2L VPN and/or VPN Client configured on the ASA.
Since all the NAT configurations have destination interface set to "outside" the NAT applies to traffic heading to Internet (In one form or another)
So if you were to remove the destination network what this would basically do is push all your private network traffic to the Internet without translation and needless to say no connection from those networks to Internet would work anymore.
If you DONT define the destination network, the NAT will apply to ANY destination networks. Therefore the above described situation would happen.
I recently made a NAT 8.3+ document. I am not sure if it would help you at all. I have still to finish it compltely and add more specific sections and explanations (like this situation) but have a look if you want
https://supportforums.cisco.com/docs/DOC-31116
- Jouni
04-17-2013 12:34 PM
Wow, cool!! You're really helping my understanding.. gotcha
So - if I did what I proposed since these are manual NAT line 1 - yeah no internet - got it.
And I also see what you're saying, maybe there is site to site traffic to those private networks, that we don't want to translate, so he made the destinations like that to say: Hey ASA - I know we're doing interface PAT in section 2 - but if these internal IP's are destined for these other inside IP's out the outside interface, don't touch!
Right?? I am grateful for these forums to get such great feedback so quickly - thanks again.
I will definitely take a look at your document - have to read tons NAT is confusing!
Kindest Regards,
ALAN
04-17-2013 12:42 PM
Hi,
If you have configured the NAT in ASA software 8.2 (or older) then you could consider this a form of Policy NAT or NAT0 with ACL.
We define the source and destination networks for which this NAT should apply to. We also define wether or not we want to NAT either source or destination or both networks.
To simplify the format
nat (SOURCE,DESTINATION) source static REAL-SOURCE MAPPED-SOURCE destination static DESTINATION-MAPPED DESTINATION-REAL
We define
Dont hesitate to ask more. I will try to answer if I can.
If this already answered your question then please mark the question as answered. Only thing I personally ask for spending my time here Provided I give a good enough answer ofcourse
- Jouni
04-17-2013 12:46 PM
Haha, well despite my rather jumbled response, you did answer my question and most importantly gave me the logic behind these statements. This is very cool because now I can see there are a ton of private networks we're connected to that I need to understand more!
If you answer one more question for me I'll mark it correct - how do I clear the counters in the translate_hits and untranslate_hits.. I want to clear them and see which of these remote networks really get hit THESE DAYS over the next month or so.
Thanks in advance!
Sidenote: That document rocks - very comprehensive and straightforward.. keep up the fantastic, very much appreciated.
Kindest Regards,
ALAN
04-17-2013 12:50 PM
Hi,
This is an example from my own ASA with example NAT configuration
ASA# sh nat
Manual NAT Policies (Section 1)
1 (LAN) to (WAN) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24
translate_hits = 1, untranslate_hits = 1
ASA# clear nat counters
ASA# sh nat
Manual NAT Policies (Section 1)
1 (LAN) to (WAN) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24
translate_hits = 0, untranslate_hits = 0
Though there are more parameters after the "clear nat counters" command
ASA# clear nat counters ?
A.B.C.D Match original IP address
interface Specify an original interface
object Specify an original network/service object
object-group Specify an original network object-group
translated Specify the translated parameters
- Jouni
04-17-2013 12:53 PM
You're like a NAT-cyclopedia, thanks again sir - I am grading and marking these posts now! -ALAN
04-17-2013 12:55 PM
No problem, glad to help out
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide