Solved: static nat or static policy nat

Boon Peng Poh · ‎10-04-2012

Hi, I have a question regarding static natting and static policy natting. (asa5500)

I have a scenario here. In the existing nat rule table, there is an existing static 1:1 for this ip address(e.g. source address - 10.1.1.1 to 172.21.1.1) However, this source (10.1.1.1) needs to access to another server and I am required to nat the source ip into another range (172.26.x.x) in order for the source to access the server.

My question is, if I add a static policy nat (source: 10.1.1.1 destination:server's ip, server interface:172.26.x.x) will it work while keeping my static 1:1 or do I have to delete the static 1:1 and configure another static policy nat for it?

Jennifer Halim · ‎10-04-2012

Static statements whether they are static NAT or static Policy NAT, they are matched in order of the configuration.

If you have:

access-list static-nat permit ip host 10.1.1.1 host

static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255

static (inside,outside) 172.26.1.1 access-list static-nat

Then: "static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255" will be matched first.

But if you would like static policy NAT to match first, then remove your existing static statement, then configure the static policy NAT and reconfigure the static NAT statement as follows:

no static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255

static (inside,outside) 172.26.1.1 access-list static-nat

static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255

so the static policy NAT will be on top of the static NAT, and the static policy NAT will take precedence.

hope that answers your question.

View solution in original post

Jouni Forss · ‎10-04-2012

Hi,

Only had to do the configuration you mentioned once

The situation was that the user already had a Static NAT for public IP address. Then we had to configure a L2L VPN where the partner wanted to NAT the users IP address to something else (even though its public address).

So I did a Static Policy NAT also.

I do remember that we had a problem with this after I issued the Static Policy NAT command.

I think I removed the Static NAT for the public IP address and issued the same command again. Might be that there was something with the order of the NAT commands on the ASA (running below 8.2 software then)

After that change it has seemed to work fine so it I think it should be ok in your case too.

EDIT: Gah! Jennifer beat me to it

- Jouni

View solution in original post

Jennifer Halim · ‎10-05-2012

Yes, the static NAT rule will still work.

If it doesn't match the static policy NAT which is on top of the static NAT, then it will go down the static NAT/policy NAT list and will match the second one in the list which is the static NAT.

View solution in original post

Jouni Forss · ‎10-05-2012

Hi again,

Here is my understanding on how the NAT works for ASA software 8.2 and below

The order in which NAT configurations are applied are to my understanding the following

NAT0 / NAT excemption with access-list
- Example: nat (inside) 0 access-list INSIDE-NAT0
Static NAT/PAT with or without Policy configurations
- Static NAT: static (inside,outside) 1.2.3.4 10.10.10.0 netmask 255.255.255.255
- Static PAT: static (inside,outside) tcp 1.2.3.4 80 10.10.10.10 80 netmask 255.255.255.255
- Static Policy NAT: static (inside,outside) 1.2.3.4 access-list STATIC-POLICY-NAT
Dynamic Policy NAT/PAT
- global (outside) 100 1.2.3.4
- nat (inside) 100 access-list LAN-POLICY-NAT
Dynamic NAT/PAT
- global (outside) 1 1.2.3.4
- nat (inside) 1 10.10.10.0 255.255.255.0

To my understanding the above is the order in which ASA goes through the NAT configurations.

But as with your case, you are trying to determine the order in which the same type of NAT configurations are used. Meaning you are using Static NAT and Static Policy NAT and they are in a sense equal I guess so they have to be in order.

Sadly the old software doesnt have any number parameter for the order of your Static NAT (or other) so you have to manually delete the reapply the configurations.

In your case IF you have the normal Static NAT first in the configurations (when issuing the "show run static" command on the CLI of the ASA) and then have the Static Policy NAT, to my understanding the normal Static NAT will override the Static Policy NAT always as the normal applies to all traffic.

Now when you remove the normal Static NAT and enter it again it naturally goes to the very bottom of the Static NAT configurations and therefore the ASA sees the Static Policy NAT first and rest of the traffic hits the Static NAT that you have re-entered to the ASA.

EDIT: Again

EDIT 2: I have to mention though that I never use ASDM for NAT configuration (even with the new softwares) I only use CLI so I might miss alot of options you might have on the ASDM side. To my understanding for example even though the ASA doesnt have ordering for NAT configurations (with an order number parameters in the NAT configurations), you can still enter a Static NAT rule into certain spot in the configurations through ASDM. What this does to my understanding is that the ASDM will actually remove alot of Static NAT commands out of the way and insert your new Static NAT configuration in the right spot. After this it will add the Static NAT configurations it just removed.

Be sure to change the setting in the ASDM side to preview the configurations ASDM sends to ASA and you will see what CLI commands the ASA actually does. Its a good way to see whats actually happening with the configurations.

- Jouni

View solution in original post

Jennifer Halim · ‎10-04-2012

Static statements whether they are static NAT or static Policy NAT, they are matched in order of the configuration.

If you have:

access-list static-nat permit ip host 10.1.1.1 host

static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255

static (inside,outside) 172.26.1.1 access-list static-nat

Then: "static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255" will be matched first.

But if you would like static policy NAT to match first, then remove your existing static statement, then configure the static policy NAT and reconfigure the static NAT statement as follows:

no static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255

static (inside,outside) 172.26.1.1 access-list static-nat

static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255

so the static policy NAT will be on top of the static NAT, and the static policy NAT will take precedence.

hope that answers your question.

Boon Peng Poh · ‎10-05-2012

Hi again, there's something else i would like to clarify.

But if you would like static policy NAT to match first, then remove your existing static statement, then configure the static policy NAT and reconfigure the static NAT statement as follows:

no static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255

static (inside,outside) 172.26.1.1 access-list static-nat

static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255

so the static policy NAT will be on top of the static NAT, and the static policy NAT will take precedence.

hope that answers your question.

If 172.21.1.1 10.1.1.1 netmask 255.255.255.255 is placed after the static policy nat, will the static 172.21.1.1 10.1.1.1 netmask 255.255.255.255 rule still work?

Jouni Forss · ‎10-04-2012

Hi,

Only had to do the configuration you mentioned once

The situation was that the user already had a Static NAT for public IP address. Then we had to configure a L2L VPN where the partner wanted to NAT the users IP address to something else (even though its public address).

So I did a Static Policy NAT also.

I do remember that we had a problem with this after I issued the Static Policy NAT command.

I think I removed the Static NAT for the public IP address and issued the same command again. Might be that there was something with the order of the NAT commands on the ASA (running below 8.2 software then)

After that change it has seemed to work fine so it I think it should be ok in your case too.

EDIT: Gah! Jennifer beat me to it

- Jouni

Jennifer Halim · ‎10-04-2012

Only by 4 minutes, Jouni

Great answer too btw.

Boon Peng Poh · ‎10-04-2012

I am new to cisco ASA actually, I am using the ASDM to configure the firewall. So that means, my newly added static nat rule won't take effect due to the existing static 1:1 rule unless I remove that rule and re-add in after the static policy nat rule. If I want the source to be able to access to both servers, I can also configure 2 static policy nat rules pointing to 2 different server ip and using 2 different natted ip.

Jennifer Halim · ‎10-04-2012

Yes, you are absolutely correct.

Boon Peng Poh · ‎10-04-2012

That cleared my doubts. Thanks a lot.

Boon Peng Poh · ‎10-05-2012

Hi again, there's something else i would like to clarify.

But if you would like static policy NAT to match first, then remove your existing static statement, then configure the static policy NAT and reconfigure the static NAT statement as follows:

no static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255

static (inside,outside) 172.26.1.1 access-list static-nat

static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255

so the static policy NAT will be on top of the static NAT, and the static policy NAT will take precedence.

hope that answers your question.

If 172.21.1.1 10.1.1.1 netmask 255.255.255.255 is placed after the static policy nat, will the static 172.21.1.1 10.1.1.1 netmask 255.255.255.255 rule still work?

Jennifer Halim · ‎10-05-2012

Yes, the static NAT rule will still work.

If it doesn't match the static policy NAT which is on top of the static NAT, then it will go down the static NAT/policy NAT list and will match the second one in the list which is the static NAT.

Boon Peng Poh · ‎10-05-2012

So I see, if you want the policy nat rule to work, it has to be placed in priority before the static 1:1. If static 1:1 is in placed before the policy nat, it will overwrite the policy nat. Static 1:1 rule on the other hand will always work.

Jouni Forss · ‎10-05-2012

Hi again,

Here is my understanding on how the NAT works for ASA software 8.2 and below

The order in which NAT configurations are applied are to my understanding the following

NAT0 / NAT excemption with access-list
- Example: nat (inside) 0 access-list INSIDE-NAT0
Static NAT/PAT with or without Policy configurations
- Static NAT: static (inside,outside) 1.2.3.4 10.10.10.0 netmask 255.255.255.255
- Static PAT: static (inside,outside) tcp 1.2.3.4 80 10.10.10.10 80 netmask 255.255.255.255
- Static Policy NAT: static (inside,outside) 1.2.3.4 access-list STATIC-POLICY-NAT
Dynamic Policy NAT/PAT
- global (outside) 100 1.2.3.4
- nat (inside) 100 access-list LAN-POLICY-NAT
Dynamic NAT/PAT
- global (outside) 1 1.2.3.4
- nat (inside) 1 10.10.10.0 255.255.255.0

To my understanding the above is the order in which ASA goes through the NAT configurations.

But as with your case, you are trying to determine the order in which the same type of NAT configurations are used. Meaning you are using Static NAT and Static Policy NAT and they are in a sense equal I guess so they have to be in order.

Sadly the old software doesnt have any number parameter for the order of your Static NAT (or other) so you have to manually delete the reapply the configurations.

In your case IF you have the normal Static NAT first in the configurations (when issuing the "show run static" command on the CLI of the ASA) and then have the Static Policy NAT, to my understanding the normal Static NAT will override the Static Policy NAT always as the normal applies to all traffic.

Now when you remove the normal Static NAT and enter it again it naturally goes to the very bottom of the Static NAT configurations and therefore the ASA sees the Static Policy NAT first and rest of the traffic hits the Static NAT that you have re-entered to the ASA.

EDIT: Again

EDIT 2: I have to mention though that I never use ASDM for NAT configuration (even with the new softwares) I only use CLI so I might miss alot of options you might have on the ASDM side. To my understanding for example even though the ASA doesnt have ordering for NAT configurations (with an order number parameters in the NAT configurations), you can still enter a Static NAT rule into certain spot in the configurations through ASDM. What this does to my understanding is that the ASDM will actually remove alot of Static NAT commands out of the way and insert your new Static NAT configuration in the right spot. After this it will add the Static NAT configurations it just removed.

Be sure to change the setting in the ASDM side to preview the configurations ASDM sends to ASA and you will see what CLI commands the ASA actually does. Its a good way to see whats actually happening with the configurations.

- Jouni

Boon Peng Poh · ‎10-05-2012

Thanks for the examples, this forum is really helpful I must say