Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
964
Views
0
Helpful
7
Replies

Why NAT different destination static but same source static?

getaway51
Level 2
Level 2

‎09-24-2018 07:21 PM - edited ‎02-21-2020 08:16 AM

NAT cmds below will nat source & dest to which network-X or net-Y or net-Z? What is the reason so many identical "nat (inside,any) source static net-10.1.1.0 net-10.1.1.0" But with different "net-X net-X"?

 

nat (inside,any) source static net-10.1.1.0 net-10.1.1.0 destination static net-172.1.10  net-172.1.10 no-proxy-arp route-lookup
nat (inside,any) source static net-10.1.1.0 net-10.1.1.0 destination static net-172.27.0.0 net-172.27.0.0 no-proxy-arp route-lookup
nat (inside,any) source static net-10.1.1.0 net-10.1.1.0 destination static net-172.25.0.0 net-172.25.0.0 no-proxy-arp route-lookup

Labels:
0 Helpful
7 Replies 7

Francesco Molino
VIP Alumni
VIP Alumni

‎09-24-2018 09:38 PM

Hi

They look similar and these are Nat exemption. This means, traffic initiated from the source 10.1.1.0 from inside will never be natted where ever interface the traffic goes through as soon it goes to the 3 destinations configured.

Let's take an example. Let's say the subnet 172.1.10.0 is your vpn users behind the outside interface. When someone from inside reaches outside, he'll be natted (e.g. internet access) but when an inside guy talk to vpn user, hosted on the outside, you don't want them to be natted.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

getaway51
Level 2
Level 2
In response to Francesco Molino

‎09-25-2018 12:31 AM

Thanks for yr explanation. Technically how to intepret this?
nat (inside,any) source static net-10.1.1.0 net-10.1.1.0 destination static net-172.1.10 net-172.1.10 no-proxy-arp route-lookup
1)Is this what happen?
before NAT
Source -10.1.1.0 (inside interface) , Dest-10.1.10 (any interface)
after NAT
Source -net-172.1.10 (inside interface) , Dest-net-172.1.10 (any interface)
2)NAT Exemption means NO NAT will happen if traffic matches these rules? which part of cmd represents NAT Exemption?

3)After all these nat (inside,any) source static ,there is a dynamic NAT cmd afterwards. Seems like all traffic NAT dynamically via outside interface.
object network any-object
nat (inside,outside) dynamic interface
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to getaway51

‎09-25-2018 04:00 PM

1. You need to interpret that way:

Source traffic from 10.1.1.0/24 on inside zone (i assume all your subnets are /24) to destination 172.1.10.0/24 (no matter which zone) will result after Nat with source 10.1.1.0/24 to destination 172.1.10.0/24

As you can understand, the traffic won't be natted. 

 

2. nat (inside,any) source static net-10.1.1.0 net-10.1.1.0 destination static net-172.1.10 net-172.1.10 no-proxy-arp route-lookup

We can say this is a no nat rule because the real subnet and translated subnet are equal for source and destination. 

The first net-10.1.1.0 is real source and the second net-10.1.1.0 is the translated source. Same applies for the destination group.

 

3. After these 3 nat rules, you have a dynamic natting traffic over outside interface. This means, if traffic won't hit the first 3 rules then it's being transferred with outside interface ip to be able to access Internet. 

 

Also, it's not recommended to keep Nat with any statement.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

getaway51
Level 2
Level 2
In response to Francesco Molino

‎09-25-2018 07:32 PM

May I know what is meant by "no-proxy-arp route-lookup" in this case? When to use this cmd? for vpn traffic?
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to getaway51

‎09-26-2018 02:02 PM

route-lookup is to ask ASA to take a look on the routing table to determine the egress interface instead of using the interface mentioned in the nat statement.
no-proxy-arp: disable proxy arp and then disable that ASA answers to ARP requests.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Ajay Saini
Level 7
Level 7

‎09-24-2018 10:56 PM

Hello,

 

These NAT statements are bidirectional, which means that any traffic trying to reach out to a specific destination will check that NAT statement. For example, the first NAT will hit when the destination is net-172.1.10 subnet. And ofcourse NAT will happen as per the Double NAT:

 

Check this document:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_rules.html

 

Please note that this is a twice NAT, means that this will work for reverse traffic as well. The document will make things clear.

 

HTH

AJ

0 Helpful

getaway51
Level 2
Level 2
In response to Ajay Saini

‎09-25-2018 12:35 AM

Really confusing wht they trying to achieve here.
1)Double NAT here means source 10.1.1.0 & dest 10.1.1.0 will be NAT to 172.1.10.0 & 172.1.10.0?

2)After all these NAT cmds, there is a below below. to NAT all traffic from inside-outside dynamically.
object network any-object
nat (inside,outside) dynamic interface
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card