Solved: Simple NAT 8.3 Q.

golly_wog · ‎06-01-2011

Hi

I had the following NAT rules configured on a device. VPN traffic was being NAT'd and wasn't being encrypted.

ASA(config)# sh run nat
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static NETWORK_OBJ_172.160.0.0_16 NETWORK_OBJ_172.160.0.0_16 destination static NETWORK_OBJ_172.117.0.0_16 NETWORK_OBJ_172.117.0.0_16
!
object network obj_any
nat (inside,outside) dynamic interface

I removed and re-applied the following to fix this

no nat (inside,outside) source dynamic any interface

nat (inside,outside) source dynamic any interface

But after doing some reading on the order of NAT,it seems that the "nat (inside,outside) source dynamic any interface" command is Network Object NAT, so why was it hit before my twice nat rule "nat (inside,outside) source static NETWORK_OBJ_172.160.0.0_16 NETWORK_OBJ_172.160.0.0_16 destination static NETWORK_OBJ_172.117.0.0_16 NETWORK_OBJ_172.117.0.0_16" ???

According to the following twice nat should be applied 1st...

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/nat_overview.html#wp1118157

Many thanks

Maykol Rojas · ‎06-01-2011

Hi,

The document can be a little bit confusing, it should not say twice nat, the correct name would be manual nat. The Nat that you are using for internet access is also a Manual NAT, now based on the document, the Manual NAT rules (what you call twice nat) are being hit on a first match basis.

This one

nat (inside,outside) source dynamic any interface

Was taking precedence over this one

nat (inside,outside) source static NETWORK_OBJ_172.160.0.0_16 NETWORK_OBJ_172.160.0.0_16 destination static NETWORK_OBJ_172.117.0.0_16 NETWORK_OBJ_172.117.0.0_16

Not because of the type of NAT, the Type of NAT is the same, Manual NAT (Or what is called by the document twice NAT).

It would be easier for you to understand this as follows, if you want to see which rules takes precedense over what, just do a sh run nat, the rules are being hitted or read from top to bottom.

Manual NAT, Object NAT or after auto, they are just a way to define, where the rules are going to be on the list that appears on the show run NAT, for example:

Manual NAT, are going to be on the first section

Object NAT, middle section

After Auto, at the bottom.

Remember, no matter where you put it, the first one that it sees, is the one that is going to match.

Hope this helps.

Better reference:

https://supportforums.cisco.com/docs/DOC-9129

Mike

View solution in original post

varrao · ‎06-02-2011

Hi Golly,

You need not delete the whole nat list to insert your new rule on top, let me explain with an example:

nat (inside,outside) 1 source dynamic any interface

the number one is the position where i want to apply the rule.

ASA2(config)# nat (outside,inside) ?

configure mode commands/options:
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters

Similarly for auto nat or object nat as well:

ASA2(config)# object network hello
ASA2(config-network-object)# nat (inside,outside) ?

configure mode commands/options:

<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters

These identifiers pushes the nat rule in the order in which you want them to hit. You need not delete and re-add the rules, just specifiy this number.

Hope this helps,

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

Maykol Rojas · ‎06-01-2011

Hi,

The document can be a little bit confusing, it should not say twice nat, the correct name would be manual nat. The Nat that you are using for internet access is also a Manual NAT, now based on the document, the Manual NAT rules (what you call twice nat) are being hit on a first match basis.

This one

nat (inside,outside) source dynamic any interface

Was taking precedence over this one

nat (inside,outside) source static NETWORK_OBJ_172.160.0.0_16 NETWORK_OBJ_172.160.0.0_16 destination static NETWORK_OBJ_172.117.0.0_16 NETWORK_OBJ_172.117.0.0_16

Not because of the type of NAT, the Type of NAT is the same, Manual NAT (Or what is called by the document twice NAT).

It would be easier for you to understand this as follows, if you want to see which rules takes precedense over what, just do a sh run nat, the rules are being hitted or read from top to bottom.

Manual NAT, Object NAT or after auto, they are just a way to define, where the rules are going to be on the list that appears on the show run NAT, for example:

Manual NAT, are going to be on the first section

Object NAT, middle section

After Auto, at the bottom.

Remember, no matter where you put it, the first one that it sees, is the one that is going to match.

Hope this helps.

Better reference:

https://supportforums.cisco.com/docs/DOC-9129

Mike

golly_wog · ‎06-02-2011

Hi Maykol

Many thanks for clearing this up and taking the time to reply with such a great explanation.

Say I had 100 NAT rules and needed to insert a new rule at the begining, is there a way to do this, rathet than clearing them all and putting the new one 1st?

Thanks again for the great response, I've given you 5 points, but you deserve 50 for this reply!!!

varrao · ‎06-02-2011

Hi Golly,

You need not delete the whole nat list to insert your new rule on top, let me explain with an example:

nat (inside,outside) 1 source dynamic any interface

the number one is the position where i want to apply the rule.

ASA2(config)# nat (outside,inside) ?

configure mode commands/options:
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters

Similarly for auto nat or object nat as well:

ASA2(config)# object network hello
ASA2(config-network-object)# nat (inside,outside) ?

configure mode commands/options:

<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters

These identifiers pushes the nat rule in the order in which you want them to hit. You need not delete and re-add the rules, just specifiy this number.

Hope this helps,

Thanks,

Varun

Thanks,
Varun Rao

golly_wog · ‎06-02-2011

Hi Varun

Thanks mate - I feel sheepish as I should have labbed this up to see this.

Many thanks for the help.

Jay Johnston · ‎06-02-2011

Golly,

Also, using ASDM you can easily move the rules around.

And, for troubleshooting issues like this 'show nat detail' will show the 'translate' and 'untranslate' counters on the individual entries in the NAT table. That way you can see exactly which NAT rules are being hit and how many times each.

And, packet-tracer would show the incorrect rule being hit as well.

- Jay

golly_wog · ‎06-03-2011

HI Jay

Cheers mate - I did pick this up using the packet-tracer. I'll try to remeber "show nat detail" for next time.

I don't use the ASDM - GUI's are for girls. :-)

Fancy answering the following for me??

https://supportforums.cisco.com/message/3371577#3371577

BTW - looking forward to the next show as alweays!

cheers