10-04-2012 06:17 AM - edited 03-11-2019 05:04 PM
Hi, I have a question regarding static natting and static policy natting. (asa5500)
I have a scenario here. In the existing nat rule table, there is an existing static 1:1 for this ip address(e.g. source address - 10.1.1.1 to 172.21.1.1) However, this source (10.1.1.1) needs to access to another server and I am required to nat the source ip into another range (172.26.x.x) in order for the source to access the server.
My question is, if I add a static policy nat (source: 10.1.1.1 destination:server's ip, server interface:172.26.x.x) will it work while keeping my static 1:1 or do I have to delete the static 1:1 and configure another static policy nat for it?
Solved! Go to Solution.
10-04-2012 06:23 AM
Static statements whether they are static NAT or static Policy NAT, they are matched in order of the configuration.
If you have:
access-list static-nat permit ip host 10.1.1.1 host
static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255
static (inside,outside) 172.26.1.1 access-list static-nat
Then: "static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255" will be matched first.
But if you would like static policy NAT to match first, then remove your existing static statement, then configure the static policy NAT and reconfigure the static NAT statement as follows:
no static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255
static (inside,outside) 172.26.1.1 access-list static-nat
static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255
so the static policy NAT will be on top of the static NAT, and the static policy NAT will take precedence.
hope that answers your question.
10-04-2012 06:26 AM
Hi,
Only had to do the configuration you mentioned once
The situation was that the user already had a Static NAT for public IP address. Then we had to configure a L2L VPN where the partner wanted to NAT the users IP address to something else (even though its public address).
So I did a Static Policy NAT also.
I do remember that we had a problem with this after I issued the Static Policy NAT command.
I think I removed the Static NAT for the public IP address and issued the same command again. Might be that there was something with the order of the NAT commands on the ASA (running below 8.2 software then)
After that change it has seemed to work fine so it I think it should be ok in your case too.
EDIT: Gah! Jennifer beat me to it
- Jouni
10-05-2012 02:42 AM
Yes, the static NAT rule will still work.
If it doesn't match the static policy NAT which is on top of the static NAT, then it will go down the static NAT/policy NAT list and will match the second one in the list which is the static NAT.
10-05-2012 02:43 AM
Hi again,
Here is my understanding on how the NAT works for ASA software 8.2 and below
The order in which NAT configurations are applied are to my understanding the following
To my understanding the above is the order in which ASA goes through the NAT configurations.
But as with your case, you are trying to determine the order in which the same type of NAT configurations are used. Meaning you are using Static NAT and Static Policy NAT and they are in a sense equal I guess so they have to be in order.
Sadly the old software doesnt have any number parameter for the order of your Static NAT (or other) so you have to manually delete the reapply the configurations.
In your case IF you have the normal Static NAT first in the configurations (when issuing the "show run static" command on the CLI of the ASA) and then have the Static Policy NAT, to my understanding the normal Static NAT will override the Static Policy NAT always as the normal applies to all traffic.
Now when you remove the normal Static NAT and enter it again it naturally goes to the very bottom of the Static NAT configurations and therefore the ASA sees the Static Policy NAT first and rest of the traffic hits the Static NAT that you have re-entered to the ASA.
EDIT: Again
EDIT 2: I have to mention though that I never use ASDM for NAT configuration (even with the new softwares) I only use CLI so I might miss alot of options you might have on the ASDM side. To my understanding for example even though the ASA doesnt have ordering for NAT configurations (with an order number parameters in the NAT configurations), you can still enter a Static NAT rule into certain spot in the configurations through ASDM. What this does to my understanding is that the ASDM will actually remove alot of Static NAT commands out of the way and insert your new Static NAT configuration in the right spot. After this it will add the Static NAT configurations it just removed.
Be sure to change the setting in the ASDM side to preview the configurations ASDM sends to ASA and you will see what CLI commands the ASA actually does. Its a good way to see whats actually happening with the configurations.
- Jouni
10-04-2012 06:23 AM
Static statements whether they are static NAT or static Policy NAT, they are matched in order of the configuration.
If you have:
access-list static-nat permit ip host 10.1.1.1 host
static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255
static (inside,outside) 172.26.1.1 access-list static-nat
Then: "static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255" will be matched first.
But if you would like static policy NAT to match first, then remove your existing static statement, then configure the static policy NAT and reconfigure the static NAT statement as follows:
no static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255
static (inside,outside) 172.26.1.1 access-list static-nat
static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255
so the static policy NAT will be on top of the static NAT, and the static policy NAT will take precedence.
hope that answers your question.
10-05-2012 02:08 AM
Hi again, there's something else i would like to clarify.
But if you would like static policy NAT to match first, then remove your existing static statement, then configure the static policy NAT and reconfigure the static NAT statement as follows:
no static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255
static (inside,outside) 172.26.1.1 access-list static-nat
static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255
so the static policy NAT will be on top of the static NAT, and the static policy NAT will take precedence.
hope that answers your question.
If 172.21.1.1 10.1.1.1 netmask 255.255.255.255 is placed after the static policy nat, will the static 172.21.1.1 10.1.1.1 netmask 255.255.255.255 rule still work?
10-04-2012 06:26 AM
Hi,
Only had to do the configuration you mentioned once
The situation was that the user already had a Static NAT for public IP address. Then we had to configure a L2L VPN where the partner wanted to NAT the users IP address to something else (even though its public address).
So I did a Static Policy NAT also.
I do remember that we had a problem with this after I issued the Static Policy NAT command.
I think I removed the Static NAT for the public IP address and issued the same command again. Might be that there was something with the order of the NAT commands on the ASA (running below 8.2 software then)
After that change it has seemed to work fine so it I think it should be ok in your case too.
EDIT: Gah! Jennifer beat me to it
- Jouni
10-04-2012 06:47 AM
Only by 4 minutes, Jouni
Great answer too btw.
10-04-2012 06:35 AM
I am new to cisco ASA actually, I am using the ASDM to configure the firewall. So that means, my newly added static nat rule won't take effect due to the existing static 1:1 rule unless I remove that rule and re-add in after the static policy nat rule. If I want the source to be able to access to both servers, I can also configure 2 static policy nat rules pointing to 2 different server ip and using 2 different natted ip.
10-04-2012 06:39 AM
Yes, you are absolutely correct.
10-04-2012 06:45 AM
That cleared my doubts. Thanks a lot.
10-05-2012 02:10 AM
Hi again, there's something else i would like to clarify.
But if you would like static policy NAT to match first, then remove your existing static statement, then configure the static policy NAT and reconfigure the static NAT statement as follows:
no static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255
static (inside,outside) 172.26.1.1 access-list static-nat
static (inside,outside) 172.21.1.1 10.1.1.1 netmask 255.255.255.255
so the static policy NAT will be on top of the static NAT, and the static policy NAT will take precedence.
hope that answers your question.
If 172.21.1.1 10.1.1.1 netmask 255.255.255.255 is placed after the static policy nat, will the static 172.21.1.1 10.1.1.1 netmask 255.255.255.255 rule still work?
10-05-2012 02:42 AM
Yes, the static NAT rule will still work.
If it doesn't match the static policy NAT which is on top of the static NAT, then it will go down the static NAT/policy NAT list and will match the second one in the list which is the static NAT.
10-05-2012 03:23 AM
So I see, if you want the policy nat rule to work, it has to be placed in priority before the static 1:1. If static 1:1 is in placed before the policy nat, it will overwrite the policy nat. Static 1:1 rule on the other hand will always work.
10-05-2012 02:43 AM
Hi again,
Here is my understanding on how the NAT works for ASA software 8.2 and below
The order in which NAT configurations are applied are to my understanding the following
To my understanding the above is the order in which ASA goes through the NAT configurations.
But as with your case, you are trying to determine the order in which the same type of NAT configurations are used. Meaning you are using Static NAT and Static Policy NAT and they are in a sense equal I guess so they have to be in order.
Sadly the old software doesnt have any number parameter for the order of your Static NAT (or other) so you have to manually delete the reapply the configurations.
In your case IF you have the normal Static NAT first in the configurations (when issuing the "show run static" command on the CLI of the ASA) and then have the Static Policy NAT, to my understanding the normal Static NAT will override the Static Policy NAT always as the normal applies to all traffic.
Now when you remove the normal Static NAT and enter it again it naturally goes to the very bottom of the Static NAT configurations and therefore the ASA sees the Static Policy NAT first and rest of the traffic hits the Static NAT that you have re-entered to the ASA.
EDIT: Again
EDIT 2: I have to mention though that I never use ASDM for NAT configuration (even with the new softwares) I only use CLI so I might miss alot of options you might have on the ASDM side. To my understanding for example even though the ASA doesnt have ordering for NAT configurations (with an order number parameters in the NAT configurations), you can still enter a Static NAT rule into certain spot in the configurations through ASDM. What this does to my understanding is that the ASDM will actually remove alot of Static NAT commands out of the way and insert your new Static NAT configuration in the right spot. After this it will add the Static NAT configurations it just removed.
Be sure to change the setting in the ASDM side to preview the configurations ASDM sends to ASA and you will see what CLI commands the ASA actually does. Its a good way to see whats actually happening with the configurations.
- Jouni
10-05-2012 03:24 AM
Thanks for the examples, this forum is really helpful I must say
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide