I typically only use object

corpengineer818 · ‎03-31-2014

We have a new ASA 5545 with multiple internal VLANs. After much reading, I am more confused than ever regarding the new NAT. Could somebody please help with this simple example w/ several internal VLANs? I would like to setup acl's to filter connections between all these internal VLANs, allowing services such as ssh for example from some VLANs to other VLANs. I would like to setup ingress and egress filtering for all VLANs. Currently, Host 172.16.3.100 cannot ping host 172.16.0.100, however each of these hosts can ping their respective gateways. Also, I am not clear as to when to use object NAT versus Twice NAT.

Interface Name Security-Level

Port-channel1.33         test                                 75
Port-channel1.43         research                         70
Port-channel1.100        management                 40
Port-channel1.200        administration                50
Port-channel1.300        remote                            30

Port-channel1.33         test                    172.16.3.248      255.255.255.0
Port-channel1.43         research             10.3.43.248     255.255.255.0
Port-channel1.100        management     10.0.0.248      255.255.255.0
Port-channel1.200        administration    10.0.1.248        255.255.255.0
Port-channel1.300        remote                172.16.0.248     255.255.255.0

Thank you for your time.

jj27 · ‎03-31-2014

I typically only use object NAT for external access from public IPs to internal servers. I'm not saying that's best practice or anything, it's just my personal preference.

A NAT example that would suffice for the example you mentioned is:

object network test-172.16.3.0
subnet 172.16.3.0 255.255.255.0

nat (test,remote) source static test-172.16.3.0 test-172.16.3.0

All traffic destined for any subnet within the "remote" interface would appear as 172.16.3.0/24.

If you wanted to limit it to a specific subnet, you could futher do:

object network remote-172.16.0.0
subnet 172.16.0.0 255.255.255.0

nat (test,remote) source static test-172.16.3.0 test-172.16.3.0 destination static remote-172.16.0.0 remote-172.16.0.0

Keep in mind that static NAT rule are bi-directional.

WIth the NAT in place, you can still control ingress/egress traffic with ACLs, but if no ACLs are used keep in mind interfaces with higher security-levels are allowed to communicate with all interfaces with lower security-levels implicitly.

Marius Gunnerud · ‎04-01-2014

Normally you would not have NAT going between subnets connected to the ASA, unless you have a specific reason for doing so. And having an egress ACL on the ASA is just about never used these days, all ACLs are normally applied in the ingress direction on an interface.

As for when to use the different NAT types depends on what you are trying to do. So there are three types of NAT in the new ASA - Manual NAT, Auto-NAT, and After-Auto (or manual after-auto). And they are executed in that order aswell.

So in the manual NAT field you would normally have your NAT exempt or twice NAT statements.

nat (inside,DMZ) source static OBJECT-1 OBJECT1 destination static OBJECT-2 OBJECT-2

Auto nat is where most of your static one to one translations and dynamic NAT/PAT will be configured.

The after-auto NAT is where you woud configure NAT statements that should apply if traffic doesn't match any of the configured statements in either the manual NAT or auto-NAT fields.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Yet another 9.1 NAT question