NAT help

Answered Question
Mar 2nd, 2007

I'm having an issue working with a PIX 7.0 that has lots of history. There is a ton of entries like below:

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

I'm trying to make one ip address on that subnet come out as the firewall external IP. I have the global (outside) 1 interface set up with the nat (inside) 1 192.168.1.5. This doesn't work unless I pull out the static entry for the entire subnet.

The main problem I'm having is for some reasos when I pull out the static that has the subnet. Without the static entry the subnet comes out with an address other than itself. What does the PIX do for an address that doesn't have a static or global entry set up?

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 6 months ago

It would also need to be there if you had something like

global (outside) 1 x.x.x.x

nat (inside) 1 0.0.0.0 0.0.0.0

and you did not want 192.168.1.0 to be PAT'ed to x.x.x.x

Hope that makes sense, I don't know enough about your environment to know whether it is needed or not.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
acomiskey Fri, 03/02/2007 - 09:28

Your problem is with nat order of operations. The static for the 192 subnet takes precedence over your regular nat for 192.168.1.5.

1. nat exemption

2. static nat

3. static pat

4. policy nat

5. regular nat

brandon.hodge Fri, 03/02/2007 - 09:30

So why is it when I pull the static for the entire subnet they come out nat'd to something else?

acomiskey Fri, 03/02/2007 - 09:38

What is the address?

It is NATing somewhere, if it's not in the static, it could be 3-5 mentioned above. Find the address in your config and you will know where.

brandon.hodge Fri, 03/02/2007 - 09:40

I guess a better question would be: why would you put in a static entry for an address to NAT the address it already has? Shouldn't it already do this without that entry?

brandon.hodge Fri, 03/02/2007 - 09:48

sorry...

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

What is the purpose of an entry like that? Shouldn't anything on the 192.168.1.0 come out with it's real address even without that entry?

acomiskey Fri, 03/02/2007 - 09:54

not if you have nat-control enabled

The nat-control command on the PIX specifies that all traffic through the firewall must have a specific translation entry (nat statement with a matching global, or a static statement) for that traffic to pass through the firewall.

Correct Answer
acomiskey Fri, 03/02/2007 - 10:06

It would also need to be there if you had something like

global (outside) 1 x.x.x.x

nat (inside) 1 0.0.0.0 0.0.0.0

and you did not want 192.168.1.0 to be PAT'ed to x.x.x.x

Hope that makes sense, I don't know enough about your environment to know whether it is needed or not.

brandon.hodge Fri, 03/02/2007 - 10:16

That's actually what the problem was I just found it 10 minutes ago. You've been a great help acomiskey thanks a ton :)

Florin Barhala Wed, 03/20/2013 - 07:52

Hi guys,

I reopen this thread as it's close to my scenario.

I got a 7.2 IOS version ASA that has nat-control enabled and I have this config:

static (intranet,outside) 192.168.0.5 192.168.0.5 netmask 255.255.255.255

Here is the rest of the config, that might be important:

interface Ethernet0/2

nameif intranet

security-level 100

ip address 192.168.0.1 255.255.254.0

nat (intranet) 0 access-list no_nat_intranet

nat (intranet) 1 access-list nat_users

global (dmz) 1 80.B.C.D

access-list nat_users line 1 extended permit ip 192.168.0.0 255.255.255.128 any

And here I got the pin:

access-list no_nat_intranet line 1 extended permit ip 192.168.0.0 255.255.254.0 192.168.10.0 255.255.255.0 

access-list no_nat_intranet line 2 extended permit ip host 192.168.0.183 any 

access-list no_nat_intranet line 3 extended permit ip host 192.168.0.5 any 


What does this statement "states"? Can anyone kindly detail it?

And why is it necessary to exempt it again in NAT_Exempt statement?

Jouni Forss Wed, 03/20/2013 - 08:06

Hi,

Well it seems you have 2 configurations for the host 192.168.0.5

The "static" configuration line is a Identity NAT that basically states that the address isnt translated when its accessing networks behind "outside" interface which doesnt make much sense since its private IP address. (Unless you have some other device doing NAT infront of the firewall)

The "nat (intranet) 0" and one of its ACLs line basically states that when the host 192.168.0.5 tries to connect to "any" host on any interface, it shouldnt be NATed.

The "static" line only applies between "intranet" and "outside" WHILE the "nat (intranet) 0" applies between "intranet" and "any"

So I would have to guess that the NAT0 rules reason for being there is to prevent NAT from being done to this host 192.168.0.5 no matter where it connects through this firewall.

- Jouni

Florin Barhala Wed, 03/20/2013 - 08:35

Thanks mate!

Basically this means, I can remove the static NAT statement, as it is covered by the nat 0 ACL.

Next, if I disable nat-control on the running config, firewall being used in production do you think it can cause any traffic disruption?

From what I read, it wouldn't make sense. Trouble might arise when enabling it (nat-control) if config lacks of some inside-to-outside nat statements. Am I right on this judgement?

Jouni Forss Wed, 03/20/2013 - 09:59

Hi,

Would seem correct to me.

Though personally I have never really had the need to change the "nat-control" setting. Though usually when I am doing some change that I have uncertainty I lab it or do the change during hours where any possible problem wouldnt cause much issues for users.

Here is a link to a Cisco document about "nat-control" setting

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html#wp1082396

- Jouni

Actions

This Discussion