01-02-2013 07:57 AM - edited 03-11-2019 05:42 PM
Hello all,
I think the title says everything, but I will go into more detail. I want to define an auto NAT as kind of a catch all for the 10.0.0.0 /8 subnet. This would be a PAT to the outside interface and look similiar to this.
object network NAT-INSIDE-10.0.0.0
subnet 10.0.0.0 255.0.0.0
nat (inside,outside) dynamic interface
However, I want a more specific nat for servers in this range, because in realitiy the 10.0.0.0 /8 subnet is broken into several /16 blocks. An example of this would be a server at 10.6.240.1
object network NAT-SRV-10.6.240.1
host 10.6.240.1
nat (inside,outside) static x.x.x.x
Which would take precedence in this situation? Would I get the static NAT I am looking for in this situation or would it get caught by the other auto NAT statement? I would lab this up, but I do not have an ASA to readily do this at the moment. Is there a better way to do this? I'm open to suggestion so please feel free to say what you want.
Thanks in advance!
Solved! Go to Solution.
01-02-2013 08:01 AM
Hi,
I would remove the default PAT rule and confiure it again with a "minor" modification
object-group network DEFAULT-PAT-SOURCE
description Default PAT Source Networks
network-object 10.0.0.0 255.0.0.0
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
With the above configuration the Static NAT configuration (under the object) would always take precedence of the Default PAT rule.
The above object-group is not mandatory really but I like configuring it that way since it gives me the option to add/change several source networks without removing any configurations in the process.
If you would even further like to widen the application of the Default PAT rule you could configure "any" instead of "inside" which enable you to configure source networks to the "object-group" no matter which interface had a route for them.
- Jouni
01-02-2013 08:01 AM
Hi,
I would remove the default PAT rule and confiure it again with a "minor" modification
object-group network DEFAULT-PAT-SOURCE
description Default PAT Source Networks
network-object 10.0.0.0 255.0.0.0
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
With the above configuration the Static NAT configuration (under the object) would always take precedence of the Default PAT rule.
The above object-group is not mandatory really but I like configuring it that way since it gives me the option to add/change several source networks without removing any configurations in the process.
If you would even further like to widen the application of the Default PAT rule you could configure "any" instead of "inside" which enable you to configure source networks to the "object-group" no matter which interface had a route for them.
- Jouni
01-02-2013 08:43 AM
Also,
The way you have configured the PAT it would seem that it will not overrule the Static NAT in that format. I would still suggest using the format that I described above.
I personally use "object NAT" for Static NAT and Port Forward configurations.
Default PAT configurations I handle like in the above post.
And special type situations for example NAT for VPN or Policy NAT (not called that in the new software anymore I guess)
VPN (NAT0/NAT Exempt)
object network LAN
subnet 10.10.10.0 255.255.255.0
object network VPN-POOL
subnet 10.10.20.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
Policy NAT
object network DESTINATION
host 8.8.8.8
object network HOST-LOCAL
host 10.10.10.10
object network HOST-MAPPED
host 1.2.3.4
nat (inside,outside) source static HOST-LOCAL HOST-MAPPED destination static DESTINATION DESTINATION
- Jouni
01-02-2013 11:27 AM
Hello Jouni,
Thank you for the quick response and I do like your solution for a default PAT and will probably end up doing it that way. Do you happen to know what the processing order is for NAT commands in the same section? Or maybe point me to some documentation that would have the information? I am really curious as to if all static object NAT statements are processes first or if it is just by running-config order.
Best regards!
01-02-2013 12:14 PM
Hi,
I suggest reading through the ASA configuration guide for your software.
Heres a quote from 8.4 versions which includes pretty much all the information you need
NAT Rule Order
Network object NAT rules and twice NAT rules are stored in a single table that is divided into three sections. Section 1 rules are applied first, then section 2, and finally section 3. Table 29-1 shows the order of rules within each section.
The Default PAT I mentioned is moved to Section 3 with "after-auto" to my understanding.
The whole document can be found for example at
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1118157
- Jouni
01-02-2013 01:12 PM
Yes, this was exactly what I was looking for. Thank you very much!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide