Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1417
Views
5
Helpful
5
Replies

Two matching auto/object NAT statements which one takes precedence

Go to solution
Alan Herriman
Level 1
Level 1

‎01-02-2013 07:57 AM - edited ‎03-11-2019 05:42 PM

Hello all,

I think the title says everything, but I will go into more detail. I want to define an auto NAT as kind of a catch all for the 10.0.0.0 /8  subnet. This would be a PAT to the outside interface and look similiar to this.

object network NAT-INSIDE-10.0.0.0

subnet 10.0.0.0 255.0.0.0

nat (inside,outside) dynamic interface

However, I want a more specific nat for servers in this range, because in realitiy the 10.0.0.0 /8 subnet is broken into several /16 blocks. An example of this would be a server at 10.6.240.1

object network NAT-SRV-10.6.240.1

host 10.6.240.1

nat (inside,outside) static x.x.x.x

Which would take precedence in this situation? Would I get the static NAT I am looking for in this situation or would it get caught by the other auto NAT statement? I would lab this up, but I do not have an ASA to readily do this at the moment. Is there a better way to do this? I'm open to suggestion so please feel free to say what you want.

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-02-2013 08:01 AM

Hi,

I would remove the default PAT rule and confiure it again with a "minor" modification

object-group network DEFAULT-PAT-SOURCE

description Default PAT Source Networks

network-object 10.0.0.0 255.0.0.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

With the above configuration the Static NAT configuration (under the object) would always take precedence of the Default PAT rule.

The above object-group is not mandatory really but I like configuring it that way since it gives me the option to add/change several source networks without removing any configurations in the process.

If you would even further like to widen the application of the Default PAT rule you could configure "any" instead of "inside" which enable you to configure source networks to the "object-group" no matter which interface had a route for them.

- Jouni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-02-2013 08:01 AM

Hi,

I would remove the default PAT rule and confiure it again with a "minor" modification

object-group network DEFAULT-PAT-SOURCE

description Default PAT Source Networks

network-object 10.0.0.0 255.0.0.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

With the above configuration the Static NAT configuration (under the object) would always take precedence of the Default PAT rule.

The above object-group is not mandatory really but I like configuring it that way since it gives me the option to add/change several source networks without removing any configurations in the process.

If you would even further like to widen the application of the Default PAT rule you could configure "any" instead of "inside" which enable you to configure source networks to the "object-group" no matter which interface had a route for them.

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎01-02-2013 08:43 AM

Also,

The way you have configured the PAT it would seem that it will not overrule the Static NAT in that format. I would still suggest using the format that I described above.

I personally use "object NAT" for Static NAT and Port Forward configurations.

Default PAT configurations I handle like in the above post.

And special type situations for example NAT for VPN or Policy NAT (not called that in the new software anymore I guess)

VPN (NAT0/NAT Exempt)

object network LAN

subnet 10.10.10.0 255.255.255.0

object network VPN-POOL

subnet 10.10.20.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

  • Above would basicly handle that LAN and VPN-POOL subnets could communicate without NAT done to their original IP addresses

Policy NAT

  • In essence the same as the above

object network DESTINATION

host 8.8.8.8

object network HOST-LOCAL

host 10.10.10.10

object network HOST-MAPPED

host 1.2.3.4

nat (inside,outside) source static HOST-LOCAL HOST-MAPPED destination static DESTINATION DESTINATION

  • The above would create a NAT rule that would give a different public IP address (for example) to a single local host IF it was attempting to connect to the host configured under the DESTINATION object. Other destination hosts networks would still hit the default PAT rule.

- Jouni

0 Helpful

Go to solution
Alan Herriman
Level 1
Level 1
In response to Jouni Forss

‎01-02-2013 11:27 AM

Hello Jouni,

Thank you for the quick response and I do like your solution for a default PAT and will probably end up doing it that way. Do you happen to know what the processing order is for NAT commands in the same section? Or maybe point me to some documentation that would have the information? I am really curious as to if all static object NAT statements are processes first or if it is just by running-config order.

Best regards!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Alan Herriman

‎01-02-2013 12:14 PM

Hi,

I suggest reading through the ASA configuration guide for your software.

Heres a quote from 8.4 versions which includes pretty much all the information you need

 NAT Rule Order 
 Network object NAT rules and twice NAT rules are stored in a single  table that is divided into three sections. Section 1 rules are applied  first, then section 2, and finally section 3. Table 29-1 shows the order of rules within each section. 
 Table 29-1     NAT Rule Table 
 

 Table Section 
 
 Rule Type 
 
 Order of Rules within the Section 
 

 Section 1 
 Twice NAT 
 Applied on a first match basis, in the order they appear in the  configuration. By default, twice NAT rules are added to section 1. 
 Note If  you configure EasyVPN remote, the ASA dynamically adds invisible NAT  rules to the end of this section. Be sure that you do not configure a  twice NAT rule in this section that might match your VPN traffic,  instead of matching the invisible rule. If VPN does not work due to NAT  failure, consider adding twice NAT rules to section 3 instead. 
 Section 2 
 Network object NAT 
 Section 2 rules are applied in the following order, as automatically determined by the ASA: 
  1. Static rules. 
  2. Dynamic rules. 
 Within each rule type, the following ordering guidelines are used: 
  a. Quantity  of real IP addresses—From smallest to largest. For example, an object  with one address will be assessed before an object with 10 addresses. 
  b. For  quantities that are the same, then the IP address number is used, from  lowest to highest. For example, 10.1.1.0 is assessed before 11.1.1.0. 
  c. If  the same IP address is used, then the name of the network object is  used, in alphabetical order. For example, abracadabra is assessed before  catwoman. 
 Section 3 
 Twice NAT 
 Section 3 rules are applied on a first match basis, in the order they  appear in the configuration. You can specify whether to add a twice NAT  rule to section 3 when you add the rule.

The Default PAT I mentioned is moved to Section 3 with "after-auto" to my understanding.

The whole document can be found for example at

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1118157

- Jouni

Go to solution
Alan Herriman
Level 1
Level 1
In response to Jouni Forss

‎01-02-2013 01:12 PM

Yes, this was exactly what I was looking for. Thank you very much!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card