cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1062
Views
5
Helpful
15
Replies

NAT help

brandon.hodge
Level 1
Level 1

I'm having an issue working with a PIX 7.0 that has lots of history. There is a ton of entries like below:

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

I'm trying to make one ip address on that subnet come out as the firewall external IP. I have the global (outside) 1 interface set up with the nat (inside) 1 192.168.1.5. This doesn't work unless I pull out the static entry for the entire subnet.

The main problem I'm having is for some reasos when I pull out the static that has the subnet. Without the static entry the subnet comes out with an address other than itself. What does the PIX do for an address that doesn't have a static or global entry set up?

1 Accepted Solution

Accepted Solutions

It would also need to be there if you had something like

global (outside) 1 x.x.x.x

nat (inside) 1 0.0.0.0 0.0.0.0

and you did not want 192.168.1.0 to be PAT'ed to x.x.x.x

Hope that makes sense, I don't know enough about your environment to know whether it is needed or not.

View solution in original post

15 Replies 15

acomiskey
Level 10
Level 10

Your problem is with nat order of operations. The static for the 192 subnet takes precedence over your regular nat for 192.168.1.5.

1. nat exemption

2. static nat

3. static pat

4. policy nat

5. regular nat

So why is it when I pull the static for the entire subnet they come out nat'd to something else?

What is the address?

It is NATing somewhere, if it's not in the static, it could be 3-5 mentioned above. Find the address in your config and you will know where.

I guess a better question would be: why would you put in a static entry for an address to NAT the address it already has? Shouldn't it already do this without that entry?

not sure I follow anymore

sorry...

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

What is the purpose of an entry like that? Shouldn't anything on the 192.168.1.0 come out with it's real address even without that entry?

not if you have nat-control enabled

The nat-control command on the PIX specifies that all traffic through the firewall must have a specific translation entry (nat statement with a matching global, or a static statement) for that traffic to pass through the firewall.

none in the running config

It would also need to be there if you had something like

global (outside) 1 x.x.x.x

nat (inside) 1 0.0.0.0 0.0.0.0

and you did not want 192.168.1.0 to be PAT'ed to x.x.x.x

Hope that makes sense, I don't know enough about your environment to know whether it is needed or not.

That's actually what the problem was I just found it 10 minutes ago. You've been a great help acomiskey thanks a ton :)

no prob, please rate if it helped.

Hi guys,

I reopen this thread as it's close to my scenario.

I got a 7.2 IOS version ASA that has nat-control enabled and I have this config:

static (intranet,outside) 192.168.0.5 192.168.0.5 netmask 255.255.255.255

Here is the rest of the config, that might be important:

interface Ethernet0/2

nameif intranet

security-level 100

ip address 192.168.0.1 255.255.254.0

nat (intranet) 0 access-list no_nat_intranet

nat (intranet) 1 access-list nat_users

global (dmz) 1 80.B.C.D

access-list nat_users line 1 extended permit ip 192.168.0.0 255.255.255.128 any

And here I got the pin:

access-list no_nat_intranet line 1 extended permit ip 192.168.0.0 255.255.254.0 192.168.10.0 255.255.255.0 

access-list no_nat_intranet line 2 extended permit ip host 192.168.0.183 any 

access-list no_nat_intranet line 3 extended permit ip host 192.168.0.5 any 


What does this statement "states"? Can anyone kindly detail it?

And why is it necessary to exempt it again in NAT_Exempt statement?

Hi,

Well it seems you have 2 configurations for the host 192.168.0.5

The "static" configuration line is a Identity NAT that basically states that the address isnt translated when its accessing networks behind "outside" interface which doesnt make much sense since its private IP address. (Unless you have some other device doing NAT infront of the firewall)

The "nat (intranet) 0" and one of its ACLs line basically states that when the host 192.168.0.5 tries to connect to "any" host on any interface, it shouldnt be NATed.

The "static" line only applies between "intranet" and "outside" WHILE the "nat (intranet) 0" applies between "intranet" and "any"

So I would have to guess that the NAT0 rules reason for being there is to prevent NAT from being done to this host 192.168.0.5 no matter where it connects through this firewall.

- Jouni

Thanks mate!

Basically this means, I can remove the static NAT statement, as it is covered by the nat 0 ACL.

Next, if I disable nat-control on the running config, firewall being used in production do you think it can cause any traffic disruption?

From what I read, it wouldn't make sense. Trouble might arise when enabling it (nat-control) if config lacks of some inside-to-outside nat statements. Am I right on this judgement?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: