what's means of "any" in "nat (inside,any)" in ASA 8.4(2)

chia hao chang · ‎08-29-2011

hi all

I am migrating my PIX configuration to ASA 8.4(2)

with my old nat configuration

I dont want the traffic match ACL inside_outbound_nat_acl from inside interface with NAT

ex:

access-list inside_outbound_nat_acl extend permit ip 192.168.20.0 255.255.255.0

global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat_acl

I reffence with cisco documents

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60183

follow the section in "Multiple ACEs"

my confiruration will like below

object network obj_192.168.10.0

subnet 192.168.10.0 255.255.255.0

nat (inside,outside) dynamic interface

!

object network obj_inside_outbound_nat_acl

subnet 10.1.1.0 255.255.255.0

!

nat (inside,any) source static obj_inside_outbound_nat_acl obj_inside_outbound_nat_acl no-proxy-arp route-lookup

BUT, WHY

when I configured "any" in "nat (inside,any)", I cannot type the "route-lookup" command

but when I change like "nat (inside,outside)" then I can type the "route-lookup" command

so what's mean of "any" in this command?

thanks

varrao · ‎08-29-2011

HI Chia,

In 8.4.2 nat, when the nat 0 configuration is migrated it puts a any keyword in it, "any" means if the traffic is going from inside to any interface, it can be outside or dmz, so you need not worry about it, you can safely remove the any keyword and use outside.

From the same doc:

NAT exemption (the nat 0 access-list command) is a form of policy NAT, and is converted to static twice NAT. Rules are created between the exempted interface and all lower-security level interfaces. For outside NAT, rules are created between the exempted interface and all higher-security level interfaces.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

chia hao chang · ‎08-29-2011

hi Varun

thanks for your reply

why I cannot type "route-lookup" command when I configured the "nat (inside,any)" ?

thanks

varrao · ‎08-29-2011

Hi Chia,

route-lookup

(Optional) For identity NAT in routed mode, determines the egress interface using a route lookup instead of using the interface specified in the NAT command. If you do not specify interfaces in the NAT command, a route lookup is used by default.

Here's the command reference as well:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/no.html#wp1792563

Thanks,

Varun

Thanks,
Varun Rao

chia hao chang · ‎08-29-2011

Hi Varun

I follow the cisco document with the section "Multiple ACEs"

8.4(2) and later:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60183

and I still cannot type route-lookup

please help me check it

thanks

ASA(config)#

ASA(config)# object network obj-10.1.2.0

ASA(config-network-object)# subnet 10.1.2.0 255.255.255.0

ASA(config-network-object)# object network obj-10.1.3.0

ASA(config-network-object)# subnet 10.1.3.0 255.255.255.0

ASA(config-network-object)# object network obj-20.2.4.0

ASA(config-network-object)# subnet 20.2.4.0 255.255.255.0

ASA(config-network-object)# object network obj-20.2.20.0

ASA(config-network-object)# subnet 20.2.20.0 255.255.255.0

ASA(config-network-object)#

ASA(config)# nat (inside,any) source static obj-10.1.3.0 obj-10.1.3.0 destination static obj-20.2.4.0 obj-20.2.4.0 no-proxy-arp route-lookup

^

ERROR: % Invalid input detected at '^' marker.

ASA(config)# nat (inside,any) source static any any destination static obj-20.2.20.0 obj-20.2

.20.0 no-proxy-arp route-lookup

^

ERROR: % Invalid input detected at '^' marker.

ASA(config)#

varrao · ‎08-29-2011

Hi Chia,

Can you share your config, how many interfaces do you have???

Thanks,

Varun

Thanks,
Varun Rao

chia hao chang · ‎08-29-2011

Hi Varun

in my user-site, it just used interface G0/0, G0/1, G0/1.10 and G0/1.20

others are my lab

thanks

ASA# sh int ip brief

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 61.31.221.221 YES manual down down

GigabitEthernet0/1 172.31.1.254 YES manual administratively down down

GigabitEthernet0/1.10 10.181.61.254 YES manual down down

GigabitEthernet0/1.20 100.100.100.254 YES manual down down

GigabitEthernet0/2 unassigned YES unset down down

GigabitEthernet0/3 172.16.226.84 YES manual up up

Management0/0 192.168.1.1 YES CONFIG down down

ASA#

ASA# sh nameif

Interface Name Security

GigabitEthernet0/0 outside 0

GigabitEthernet0/1 inside 100

GigabitEthernet0/1.10 DMZ 80

GigabitEthernet0/1.20 VPN-BOX 90

GigabitEthernet0/2 test1 0

GigabitEthernet0/3 test2 0

Management0/0 management 100

varrao · ‎08-29-2011

Can you bring all the interfaces up and try again, it should work...

-Varun

Thanks,
Varun Rao

chia hao chang · ‎08-29-2011

Hi Varun

I forgot to tell you this ASA is my customer new machine

and it's not on-line now

I just want to convert customer old machine(PIX) to ASA now.

I bring all interface up

and it still cannot type "route-lookup" command...

thanks for ur patience...

chia hao chang · ‎08-29-2011

as your past above

route-lookup

(Optional) For identity NAT in routed mode, determines the egress interface using a route lookup instead of using the interface specified in the NAT command. If you do not specify interfaces in the NAT command, a route lookup is used by default.

when I didnt specify interface in the NAT command,

like "nat (inside,any) source static obj-10.1.2.0 obj-10.1.2.0 no-proxy-arp"

ok, the route-lookup command is used by default, so I needn't type it.

but, when I configured it

I show running-config

and it's shows the

"nat (inside,any) source static obj-10.1.2.0 obj-10.1.2.0 no-proxy-arp"

still without route-lookup at last

is it correct?

thanks

praprama · ‎09-12-2011

Hi Chia,

the ASA still wont show the route-lookup at the end of the nat command. It will use the routing table for a route lookup though as per the document.

regards,

Prapanch