Understanding Identity Nat

Unanswered Question
Jul 11th, 2008
User Badges:

All,


I hope someone can clear this. I've read in my SNPA 5.0 course that Identity Nat 0 does not translate and does not use a translation slot.


But in chapter 12 of the FWSM config manual, it states NAT sessions are created for Identity Nat (with or without Nat Control).


If both sources are referring to the same thing, then the two statements above seem to contradict. Can someone please clear this up?


Thanks



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Magnus Mortensen Fri, 07/11/2008 - 21:17
User Badges:
  • Cisco Employee,

On the FWSM, in versions prior to 3.2, we will build XLATES for nat 0. In later version of 3.2 you can enable xlate bypass to stop the firewall from building those kind of translations.


http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/uw.html#wp1306953


From that page:

"By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. For example, a session is created for each untranslated connection even if you do not enable NAT control, you use NAT exemption or identity NAT, or you use same security interfaces and do not configure NAT. Because there is a maximum number of NAT sessions (see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide), these kinds of NAT sessions might cause you to run into the limit.


To avoid running into the limit, you can disable NAT sessions for untranslated traffic using the xlate-bypass command. If you disable NAT control and have untranslated traffic or use NAT exemption, or you enable NAT control (using the nat-control command) and use NAT exemption, then with xlate bypass, the FWSM does not create a session for these types of untranslated traffic. NAT sessions are still created in the following instances:


•You configure identity NAT (with or without NAT control). Identity NAT is considered to be a translation.


•You use same-security interfaces with NAT control. Traffic between same security interfaces create NAT sessions even when you do not configure NAT for the traffic. To avoid NAT sessions in this case, disable NAT control or use NAT exemption as well as xlate bypass. "


[Rate if useful. Thanks!]

yuchenglai Mon, 07/14/2008 - 04:16
User Badges:

Mamorten,


In the configuration guide of the FWSM 3.2, it looks like that "identity NAT" will create XLATES with or without NAT control even if you use xlate bypass with it.


Case in point, "You configure identity NAT (with or without NAT control). Identity NAT is considered to be a translation. "


But it seems that the FWSM 3.2 configuration guide contradicts what is written in the SNPA 5.0 course which states that Identity Nat 0 does not translate and does not use a translation slot.


Which text is correct?

Magnus Mortensen Mon, 07/14/2008 - 05:11
User Badges:
  • Cisco Employee,

I think the SNPA book is wrong since I have seen NAT0 build xlates with my own eyes...

yuchenglai Mon, 07/14/2008 - 05:21
User Badges:

Yes,


I believe the SNPA course is wrong about this topic.


To clarify the second point, the FWSM 3.2 configuration guide says that "Identity NAT" will always create xlates even if you use xlate bypass. Is that true?

Actions

This Discussion