Static NAT Configurations with Different Behaviour

fatalXerror · ‎04-02-2016

Hi Guys,

Good Day!

I would like to ask what is the difference between the 2 static NATs configuration below,

1) nat (dmz,outside) source static obj-private-ip obj-public-ip destination static obj-any obj-any

2) nat (dmz,outside) source static obj-private-ip obj-public-ip

I've just noticed that when we are using the 1st one, it goes directly to the egress interface which is the outside interface but when we use the 2nd one, it will look first to the routing table and use it as the egress interface which is the most preferred one.

Thanks

Aditya Ganjoo · ‎04-02-2016

Hi,

Yes you are correct.

So here is how the egress interface is selected:

Routing: The ASA can check the global routing table to determine the egress interface for the connection.

Network Address Translation (NAT): The ASA might also use the NAT configuration to override the routing table to determine the egress interface.

NAT rules will only override the routing table for egress interface selection if the destination address of the IP packet is being translated by the NAT rule.

So in the first case you have a destination translation present so NAT takes preference over routing table and forwards it to the egress interface but in the later it consults the routing table.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

fatalXerror · ‎04-02-2016

Hi Aditya, Thanks for the feedback. Yes I have a destination in my first NAT statement but it is just any any and I believed in my second NAT statement, it has an any any destination too by default which means these NATs are the same but why have different behaviour? Thank you very much for thr help!

Aditya Ganjoo · ‎04-02-2016

Hi,

Yes you are correct but again the ASA sees that it has a destination keyword and the ASA would treat it as a destination NAT even if we are not NATTING the traffic but we are using a destination NAT keyword.

In the second NAT it does not see a destination keyword hence routing table takes the preference.

Hope it clears your doubt.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

fatalXerror · ‎04-03-2016

Hi Aditya,

Good Day!

Noted I understand it much better.

But how about if the NAT statement obj-any is before the destination keyword?

Thanks

Marius Gunnerud · ‎04-03-2016

1) nat (dmz,outside) source static obj-private-ip obj-public-ip destination static obj-any obj-any

This is destination NAT, much like the old policy NAT. in this case NAT only happens when traffic is headed to the specified destination and it allows you to NAT both the source and destination IPs.

nat (source_int,dest_int) source [static,dynamic] original_object mapped_object desination [static,dynamic] mapped_object original_object

2) nat (dmz,outside) source static obj-private-ip obj-public-ip

This is your classic static NAT which only has the ability to translate the source IP.

Keep in mind that these NAT statements are placed in section 1 (manual NAT) and will be processed in a top down format (much like ACLs).

If you place obj-any in the source section of the destination / twice NAT statement then all IPs with a destination of obj-private-ip wil not be translated.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Aditya Ganjoo · ‎04-03-2016

Hi,

It would still check that if the destination keyword is present or not.

Remember this is only used to select an egress interface.

The NAT feature will only override the routing table for egress interface selection if the destination address of the IP packet is being translated by the NAT rule and if it is not only routing will take preference.

Regards,

Aditya

Please rate helpful posts and mark correct answers.