cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
986
Views
5
Helpful
11
Replies
Beginner

what are basic differences between Object Network NAT and Twice NAT

what are basic differences between Object Network NAT and Twice NAT?

 

While implementing which one is better?

Everyone's tags (1)
11 REPLIES 11
Highlighted
Hall of Fame Guru

If you are interested in the

If you are interested in the differences in configuration and when to use one or the other have a look at this document which is an excellent overview of NAT post 8.3 covering both types and where to use which ones -

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Jon

Highlighted
Rising star

Twice-nat is natting the

Twice-nat is natting the source and destination and so there are two nats taking place.

Below is good visual on the below link.

https://www.fir3net.com/Firewalls/Cisco/cisco-asa-twice-nat.html

 

Whereas object network nat is just nat once on either direction of the traffic flow.

Example your home computers on the private subnet access the Internet with natted to a public-address.

 

Hope that answers your question.

Thanks

Rizwan Rafeek.

 

Highlighted
Beginner

Googday,I have kinda issues

Googday,

I have kinda issues with NAT as well. 

I am experiencing an issue which relates to twice NAT

2 environments are set up with same Subnet IDs. Now requirement is to let host in Environment A needs to talk to host in Environment B.

Real Source (x.x.x.x) and destinations (x.x.x.x) IP's are belong to Same Subnet and NAT already exist to translate destination's subnet IP's to other IP's (y.y.y.y) so they can talk to other networks.

Requirement :

Host 1.1.1.1/24 in Environment A needs to talk to node (1.1.1.20/24) in Environment B 

Environment B inside interface of ASA (image using 9.13) already translating 1.1.1.20/24 to 3.3.3.20/24 using static natentering from outside interface. 

If you have any solution to it let me know.


What I tried to do to achieve through this:

nat (Test_Env,Eng_Test) source dynamic obj_1.1.1.1 interface destination static obj_10.1.1.20 obj_1.1.1.20 service FTP FTP

No success yet. 

 

NB: Attached is the layout for better understanding if that helps.


Warm Regards,

 

Highlighted
Rising star

Hello Br. Qutub, "Host 1.1.1

Hello Br. Qutub,

 

"Host 1.1.1.1/24 in Environment A needs to talk to node (1.1.1.20/24) in Environment B"

 

You use a dynamic-nat subnet 1.1.1.0/24 to access host insde.

 

object-group network 1.1.1.0-24
 network-object 1.1.1.0 255.255.255.0


object-group network host-10.1.1.20
 network-object host 10.1.1.20

nat (outside,inside) source dynamic 1.1.1.0-24 interface destination static host-10.1.1.20 host-10.1.1.20

 

 

Highlighted
Beginner

Salaam Bro Rizwan,I have made

Salaam Bro Rizwan,

I have made similar kinda nat config as mentioned in my attached layout. Except the last bit, where you are using the same mapped destination instead of real destination (1.1.1.20) as prescribed in syntax. 

Could you please re-affirm. 

 

nat (outside,inside) source dynamic 1.1.1.0-24 interface destination static host-10.1.1.20 host-10.1.1.20

 

 

 

Highlighted
Rising star

I found this statement on

I found this statement on your diagram you have attached. "1.1.1.0/24 NAT static NAT for individual IP’s to 10.1.1.0/24"

 

If that is not what you like to accomplish that then you could use twice-nat, it becomes one-to-one mapping.  Lets says ip:  3.3.3.3 is map to 1.1.1.20 at environment B and so below twice should work to access if you configure it on ASA located at environment A.

 

object network virtual-destination
 host 3.3.3.3

object network host-at-envior-b
 host 1.1.1.20


object network PAT-4.4.4.4
 host 4.4.4.4
 


 
nat (Eng-live,Env-A-Live)  source dynamic any PAT-4.4.4.4 destination static virtual-destination host-at-envior-b

 I assume Eng-live = outside and Env-A-Live = inside as per your attached diagram.

 

hope that helps.

Thanks

 

 

Highlighted
Beginner

Yes this statement is pretty

Yes this statement is pretty much correct.

"1.1.1.0/24 NAT static NAT for individual IP’s to 10.1.1.0/24"

Usually Hosts from Env B talk to other subnets and areas. Which is covered through NAT (one-to one) like;

Env B:

ip 1.1.1.1 Nat to 10.1.1.1 

1.1.1.2 Nat to 10.1.1.2 and so on.

Interfaces on FW for Env B are;

Outside = Test_Env

Inside = Eng_Test

 

Env A:

Talk to other subnets and environments. But this request comes out to be unusual than normal which requires Env A IP's 1.1.1.1 - 3 needs to talk to 1.1.1.20 in env B.

NAT is happening only on Env B FW. I hope it gives more understanding of the requirement.

 

 

 

Highlighted
Rising star

Have you tried the below

Have you tried the below?

object network virtual-destination
 host 3.3.3.3

object network host-at-envior-b
 host 1.1.1.20


object network PAT-4.4.4.4
 host 4.4.4.4
 
 
nat (Eng-live,Env-A-Live)  source dynamic any PAT-4.4.4.4 destination static virtual-destination host-at-envior-b

Highlighted
Beginner

What you are asking me to do

What you are asking me to do it use to Source Egress interface IP scheme (4.4.4.0/24) as source. Which I couldn't understand properly.

 

However, I did try as below, still getting same response on capturing the traffic.

nat (Test_Env,Eng_Test) source dynamic obj_1.1.1.1 interface destination static obj_10.10.0.20 obj_1.1.1.20 service FTP FTP

1: 10:57:39.436638       1.1.1.1.46694 > 1.1.1.20.21: S 2795187511:2795187511(0) win 14600 <mss 1380,sackOK,timestamp 3567444733 0,nop,wscale 7>

Test_Env is egress interface of Env B FW (5.5.5.0/24)

Eng_Test is Lan interface (destination subnet) (1.1.1.0/24)

Used below object for a new separate NAT statement:

obj_10.10.0.20

 host 10.10.0.20

 

Since FW of Env A has ACL for:

1.1.1.1 ==> 10.1.1.20 : FTP

Where as FW of Env B has ACL for;

1.1.1.1 ==> 1.1.1.20 : FTP

My understanding is that, actually source is hitting the destination (acl shows hits) but on return path it find itself in same subnet. Which doesn't allow it to get out of the box towards the source.

 

Normally the traffic from different environment when hit to FW of Env B have 10.1.1.x/24 as destination which eventually translated on Env B FW from 10.1.1.x to 1.1.1.x/24.

 

 

 

Highlighted
Rising star

"What you are asking me to do

"What you are asking me to do it use to Source Egress interface IP scheme (4.4.4.0/24) as source. Which I couldn't understand properly."

 

Answer to your question is right below in your own post.

"is hitting the destination (acl shows hits) but on return path it find itself in same subnet."

 If you don't want that, then push host-routes with /32 mask to respective firewall individually.

Please give it a try, what I have suggested you.

thanks

Rizwan Rafeek.

Highlighted
Beginner

try this. https:/

try this. https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli