03-27-2013 06:51 AM - edited 03-11-2019 06:20 PM
Hi guys,
As part of our PCI compliance, we were required to add a line to all of our ACLs in our ASA 5520 running version 8.2(3). Though there is an implicit deny all, we had to add a line to deny from any source to any destination.
We had no problems in adding the additional deny all statements except for our NAT access-list. This NAT access list is used for our internet connection.
Currently, the NAT ACL has 4 entries to permit from a specified source to destination any. This ACL is then called on our NAT statement.
nat (inside) 1 access-list NAT
Also, note that NAT control is in place and we also have NAT zero statements for our VPN connections.
So to fulfill our requirements, we just had to add another line to our ACL entries. But we encountered an issue with our NAT acl.
"access-list NAT line 100 extended deny ip any any"
After applying that statement above, our users can't access the internet anymore. Upon checking the running-config, the NAT statements were gone. My colleague tried adding the NAT statement, but it won't accept it. We had to revert it back for our users to gain access to the internet again.
So currently, all the deny all statemens for our ACLs are in place except the NAT acl. I wasn't there so I wasn't able to see the exact error messages.
Has anyone experienced this?
Solved! Go to Solution.
03-27-2013 06:59 AM
Hi,
You cant use "deny" statements in Policy NAT configurations which you are using in your default PAT or NAT rule (cant see the "global" configuration line)
If you really want to control the source IP addresses that will be NATed/PATed then you can simply use multiple "nat" lines with the same ID number for the NAT configuration. This would let you control which source IP address fit the translation rule.
- Jouni
03-27-2013 07:17 AM
Hi,
I am still trying to find the Cisco document to give you the exact section where Cisco states that "deny" cant be used in Policy type NATs/PATs. It can be used in NAT0 configurations but NOT in Policy NAT/PAT configurations.
Basically this PAT configuration
global (outside) 1 1.1.1 netmask 255.255.255.255
global (backup-isp) 1 interface
nat (inside) 1 access-list NAT
access-list NAT extended permit ip 172.28.2.0 255.255.255.0 any
access-list NAT extended permit ip 192.168.145.0 255.255.255.0 any
access-list NAT extended permit ip 10.250.32.0 255.255.248.0 any
access-list NAT extended permit ip host 192.168.30.253 any
access-list NAT extended permit ip 172.28.4.0 255.255.255.0 any
Could be done like this also
global (outside) 1 1.1.1 netmask 255.255.255.255
global (backup-isp) 1 interface
nat (inside) 1 172.28.2.0 255.255.255.0
nat (inside) 1 192.168.145.0 255.255.255.0
nat (inside) 1 10.250.32.0 255.255.248.0
nat (inside) 1 192.168.30.253 255.255.255.255
nat (inside) 1 172.28.4.0 255.255.255.0
- Jouni
03-29-2013 03:23 PM
Hi,
Its actually mentioned in some old Command References. Though while I checked the same command for other software versions it doesnt list the thing anymore even though I presume it applies still
Heres the section that mentions about the use of "deny" in NAT related ACLs. See the section mentioning the "access-list"
nat
Associate a network with a pool of global IP addresses.
[no] nat [(local_interface)] id local_ip [mask [dns] [outside | [norandomseq] [max_conns [emb_limit]]]]
[no] nat [(local_interface)] id access-list acl_name [dns] [outside | [norandomseq] [max_conns [emb_limit]]]
[no] nat [(local_interface)] 0 access-list acl_name [outside]
clear nat
show nat
Syntax Description
access-list |
Lets you identify local traffic for network address translation (NAT) by specifying the local and destination addresses (or ports). This feature is known as policy NAT. Note Use NAT exemption (nat 0 access-list) with the ACL deny statement but not with policy NAT. Use port selectors with policy NAT but not with NAT Excemption. You can only include permit statements in the access list. Local traffic is matched to the first matching policy NAT statement. See the "Order of NAT Commands Used to Match Local Addresses" section for more information. |
Source:
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129
And its "he" not "she"
- Jouni
03-27-2013 06:59 AM
Hi,
You cant use "deny" statements in Policy NAT configurations which you are using in your default PAT or NAT rule (cant see the "global" configuration line)
If you really want to control the source IP addresses that will be NATed/PATed then you can simply use multiple "nat" lines with the same ID number for the NAT configuration. This would let you control which source IP address fit the translation rule.
- Jouni
03-27-2013 07:11 AM
thanks for the response. Here's the additional info:
nat (inside) 0 access-list NONAT
nat (inside) 1 access-list NAT
nat (inside) 2 10.105.11.200 255.255.255.255
global (outside) 1 1.1.1 netmask 255.255.255.255
global (backup-isp) 1 interface
global (backup-isp) 2 2.2.2 netmask 255.255.255.255
So we can't add the deny all on "NAT" acl right? currently, our NAT acl is these:
access-list NAT extended permit ip 172.28.2.0 255.255.255.0 any
access-list NAT extended permit ip 192.168.145.0 255.255.255.0 any
access-list NAT extended permit ip 10.250.32.0 255.255.248.0 any
access-list NAT extended permit ip host 192.168.30.253 any
access-list NAT extended permit ip 172.28.4.0 255.255.255.0 any
03-27-2013 07:17 AM
Hi,
I am still trying to find the Cisco document to give you the exact section where Cisco states that "deny" cant be used in Policy type NATs/PATs. It can be used in NAT0 configurations but NOT in Policy NAT/PAT configurations.
Basically this PAT configuration
global (outside) 1 1.1.1 netmask 255.255.255.255
global (backup-isp) 1 interface
nat (inside) 1 access-list NAT
access-list NAT extended permit ip 172.28.2.0 255.255.255.0 any
access-list NAT extended permit ip 192.168.145.0 255.255.255.0 any
access-list NAT extended permit ip 10.250.32.0 255.255.248.0 any
access-list NAT extended permit ip host 192.168.30.253 any
access-list NAT extended permit ip 172.28.4.0 255.255.255.0 any
Could be done like this also
global (outside) 1 1.1.1 netmask 255.255.255.255
global (backup-isp) 1 interface
nat (inside) 1 172.28.2.0 255.255.255.0
nat (inside) 1 192.168.145.0 255.255.255.0
nat (inside) 1 10.250.32.0 255.255.248.0
nat (inside) 1 192.168.30.253 255.255.255.255
nat (inside) 1 172.28.4.0 255.255.255.0
- Jouni
03-27-2013 07:29 AM
thanks for this Jouni. I was able to read that document earlier when I was skimming through google search. I can't find it back though. Please share with me once you're able to locate it so I can share it with my colleagues. Thanks.
03-27-2013 07:07 AM
Hello,
The "implicit deny all" applies for ACL on the interface not in general. If you have an ACL matching source/destination IP against a NAT rule everything that is not included on the ACL will be dropped by the ASA on the NAT phase, if the deny statement was added at the end of the ACL's it shouldn’t affect your user since the permit rules are first.
We need to look at the NAT and ACL’s when the problem was happening otherwise it’s hard to give a full diagnostic or find out a root cause.
In other words, the deny ip any any rule if it is at the end it shouldn’t affect your network operation and internet access.
Regards,
Juan Lombana
Please rate helpful posts.
03-27-2013 07:25 AM
perhaps the reason why the users were affected was that when my colleague checked the running config, after adding the deny statement on the NAT acl, the "nat (inside) 1 access-list NAT" was removed apparently. And when he tried adding that statement, the cli won't allow it. He had to remove the deny statement on the NAT acl before he can add the policy NAT entry.
I've read somewhere that we can't apply "deny" statements on a NAT acl. I'm trying to look again for it though.
03-27-2013 07:50 AM
You can apply "deny" ACL however it never takes effect, it doesn’t work on policy NAT, My point was that since it doesn’t take effect it shouldn’t affect your network operation then.
Regards,
Juan Lombana
03-29-2013 02:54 PM
apparently, when we apply the deny statement on the NAT acl, the NAT policy is removed on the running config. When you add it to the running config, it doesn't add the command. We have to remove the deny statement on the NAT ACL before the ASA can accept the NAT policy configuration.
perhaps, Jouni might be right, though she's still looking for the document to supplement this.
03-29-2013 03:23 PM
Hi,
Its actually mentioned in some old Command References. Though while I checked the same command for other software versions it doesnt list the thing anymore even though I presume it applies still
Heres the section that mentions about the use of "deny" in NAT related ACLs. See the section mentioning the "access-list"
nat
Associate a network with a pool of global IP addresses.
[no] nat [(local_interface)] id local_ip [mask [dns] [outside | [norandomseq] [max_conns [emb_limit]]]]
[no] nat [(local_interface)] id access-list acl_name [dns] [outside | [norandomseq] [max_conns [emb_limit]]]
[no] nat [(local_interface)] 0 access-list acl_name [outside]
clear nat
show nat
Syntax Description
access-list |
Lets you identify local traffic for network address translation (NAT) by specifying the local and destination addresses (or ports). This feature is known as policy NAT. Note Use NAT exemption (nat 0 access-list) with the ACL deny statement but not with policy NAT. Use port selectors with policy NAT but not with NAT Excemption. You can only include permit statements in the access list. Local traffic is matched to the first matching policy NAT statement. See the "Order of NAT Commands Used to Match Local Addresses" section for more information. |
Source:
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129
And its "he" not "she"
- Jouni
03-30-2013 02:05 PM
oh sorry bro.
thank you so much for the reference.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide