05-20-2013 09:27 AM - edited 03-11-2019 06:46 PM
I have a firewall where there is an object in the dmz that needs to be translated to the outside and inside using the same ip address. I have noticed in the configuration that this is being done as a twice NAT and a network object NAT but I know the Twice NAT will take precedence. For instance I have found the following configuration entries on the firewall:
object network obj_10.10.10.70
host 10.10.11.70
object network obj_76.77.200.110
nat (dmz,outside) source static obj_10.10.10.70 obj_76.77.200.110
nat (dmz,inside) source static obj_10.10.10.70 obj_76.77.200.110
object network obj_10.10.10.70
nat (dmz,any) static 76.77.146.81
Which way is the better practice to accomplish translating the object to the same ip on the outside and the inside? Should you keep the Twice NAT or the Object NAT?
Solved! Go to Solution.
05-20-2013 10:04 AM
Hi,
I would use Network Object NAT.
Though again I have to state that nothing is stopping you from using the Twice NAT format. That is what I mostly see Cisco people on these forums suggesting but I personally prefer Network Object NAT
The NAT configuration format using Twice NAT would be
object network WEB-SERVER
host 10.10.10.5
object network MAIL-SERVER
host 10.10.10.10
object service HTTP
service tcp source eq 80
object service SMTP
service tcp source eq 25
nat (dmz,outside) source static WEB-SERVER interface service HTTP HTTP
nat (dmz,outside) source static SMTP-SERVER interface service SMTP SMTP
The above uses the "outside" interface IP address. If you wanted to use a separate IP address you could use
object network WEB-SERVER
host 10.10.10.5
object network MAIL-SERVER
host 10.10.10.10
object service HTTP
service tcp source eq 80
object service SMTP
service tcp source eq 25
object network PUBLIC-IP
host 76.77.200.40
nat (dmz,outside) source static WEB-SERVER PUBLIC-IP service HTTP HTTP
nat (dmz,outside) source static SMTP-SERVER PUBLIC-IP service SMTP SMTP
Lets say you configure the Twice NAT format. Then in the near future you have to configure NAT0 for some L2L VPN connecting a remote site to your head office. If you were to configure the NAT0 configuration using Twice NAT without taking into account the ordering of Twice NAT rules (didnt use the line number) then you would find that SMTP and HTTP traffic to the remote site wouldnt work while other traffic would. In this case when we use Static PAT (Port Forward) we can naturally see that it wouldnt cause as much problem as Static NAT.
My personal split (mentioned in the document) of NAT Type is the following
Remember to mark any reply as correct answer if it answered your question. And/or rate helpfull posts
Naturally ask more if needed or if you wish me to clarify something.
- Jouni
05-20-2013 09:40 AM
Hi,
You should be able to use either of the NAT Rule types to achieve this. What the above is essentially doing is Static NAT.
I personally prefer to do the Static NAT and Static PAT always with Network Object NAT
When I want to override the Static NAT (Network Object NAT) for example then I use some Twice NAT configuration. Consider for example a NAT0 / NAT Exempt type Twice NAT configuration that tells specifically when the NAT should be applied. In those cases the "destination static" is added to the end of the "nat" command to tell the remote network. So for that "destination" network(s) the Twice NAT would override the Network Object NAT but otherwise the Network Object NAT would apply.
Notice also that the Twice NAT can be overriden by Network Object NAT. Though this can ONLY happen when you use "after-auto" after the "()" in the configuration.
I would personally suggest using Network Object NAT for Static NAT configurations BUT Twice NAT is also an ok solution. In that case you have to manage the NAT ordering though. This is because for example when you have Static NAT and NAT0 configured with Twice NAT then there is a possibility that the Static NAT will override the NAT0 if the ordering is incorrect. I find it more clear when I know that Static NAT/PAT is always as Network Object NAT and NAT0/Policy type NAT configurations are Twice NAT. (Default Dynamic PAT/NAT I typically configure with Twice NAT with the added "after-auto" parameter which moves the rules at the very end of the NAT rules after Network Object NAT)
I wrote a document on the forums about the new NAT format if you want to take a look. It probably clarifies the different NAT Rule types and the ordering done by the ASA than I can do in this post
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
- Jouni
05-20-2013 09:52 AM
Thanks that does help with mapping to the same ip to multiple interfaces. What if you you mapped two objects to the same ip based on the service? Would Twice NAT or network object NAT be used? For example lets say you have two hosts 10.10.10.5 and 10.10.10.10 in the dmz. You want to map both to the outside IP of 76.77.200.40 but specify which service to use. For example if it is http use to 10.10.10.5 and if smtp use to 10.10.10.10. Would the best way be to created the two following object nats or use a twice nat?
object network obj_10.10.10.5
nat (dmz,outside) static 76.77.200.40 service tcp http http
object network obj_10.10.10.10
nat (dmz,outside) static 76.77.200.40 service tcp smtp smtp
05-20-2013 10:04 AM
Hi,
I would use Network Object NAT.
Though again I have to state that nothing is stopping you from using the Twice NAT format. That is what I mostly see Cisco people on these forums suggesting but I personally prefer Network Object NAT
The NAT configuration format using Twice NAT would be
object network WEB-SERVER
host 10.10.10.5
object network MAIL-SERVER
host 10.10.10.10
object service HTTP
service tcp source eq 80
object service SMTP
service tcp source eq 25
nat (dmz,outside) source static WEB-SERVER interface service HTTP HTTP
nat (dmz,outside) source static SMTP-SERVER interface service SMTP SMTP
The above uses the "outside" interface IP address. If you wanted to use a separate IP address you could use
object network WEB-SERVER
host 10.10.10.5
object network MAIL-SERVER
host 10.10.10.10
object service HTTP
service tcp source eq 80
object service SMTP
service tcp source eq 25
object network PUBLIC-IP
host 76.77.200.40
nat (dmz,outside) source static WEB-SERVER PUBLIC-IP service HTTP HTTP
nat (dmz,outside) source static SMTP-SERVER PUBLIC-IP service SMTP SMTP
Lets say you configure the Twice NAT format. Then in the near future you have to configure NAT0 for some L2L VPN connecting a remote site to your head office. If you were to configure the NAT0 configuration using Twice NAT without taking into account the ordering of Twice NAT rules (didnt use the line number) then you would find that SMTP and HTTP traffic to the remote site wouldnt work while other traffic would. In this case when we use Static PAT (Port Forward) we can naturally see that it wouldnt cause as much problem as Static NAT.
My personal split (mentioned in the document) of NAT Type is the following
Remember to mark any reply as correct answer if it answered your question. And/or rate helpfull posts
Naturally ask more if needed or if you wish me to clarify something.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide