02-02-2009 09:23 AM - edited 03-11-2019 07:44 AM
We have a cisco 5510 connected to a LAN segment with a cisco 6500 and multiple vlan's. and using Class B address range.
We have a NAT device (Non-cisco product ) on top of the Cisco ASA-5510 handling all the static and Dynamic NAT.
We have lots of internet users and about 50-60 servers all in the Lan segment.
since the ASA is not doing the NAT i can use
nat (inside) 0 172.16.0.0 255.255.0.0
to exempt all traffic from NAT right??
but when i do this i am having issues accessing a few servers from the outside that have been Static NAT on my NAT device. ( this is the problem only with few servers, all others are fine and normal internet users also have no issues to the best of my knowledge).
I have found a remedy by using something like
static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
Everything is working perfect with this instead of the "NAT 0"
What could be causing the access issue with NAT 0.
02-02-2009 10:26 AM
Hi,
the reason is that nat0() will only work from inside to outside. When an inside-server opens a connection to outside, the asa "knows" the server and have an entry in the NAT table.
If the server do not access the outside world, the asa do not "know" the server.
Your static NAT make a permanent entry into the NAT table.
I had this Problem with a client, that wanted to use public IPs inside the ASA. Only when the server has opened a connection an inbound connection was successful. With the "fake" NAT everything is fine.
Regards, Celio
02-02-2009 05:59 PM
Probably u didn't get me, traffic i mentioned is moving from inside to Outside itself.
02-03-2009 08:51 AM
Ok thanku i got my solution
nat (inside) 0 172.16.0.0 255.255.0.0
this is IDENTITY NAT (allowed only from inside to outside,) connections cannot be initiated from outside to inside
nat (inside) 0 access-list test
access-list test ext permit ip 172.16.0.0 255.255.0.0 any
This is NAT EXEMPTION
This allows connections to be initiated from outside to inside.
I think everyone must understand the difference between the two, they appear so similar.
02-16-2012 06:46 AM
Unfortunately it's not that simple. While the configurations are similar in the sense that they can both perform NAT exemption, identity NAT (via a static) enters a permanent entry in the xlate table whereas the NAT 0 does not create an entry in the xlate table but DOES add entries to the NAT table from the interface listed in the nat 0 command to all equal or lower security level interfaces.
Your assumptions are incorrect...at least partially. The Cisco documentation ( the Cisco ASA and PIX Firewall Handbook) states that with a nat 0 configuration, traffic must be initiated from the higher security level interface before traffic will be allowed in from the lower security level interface. It goes in to state that identity NAT via a static is bidirectional and traffic can be initiated from either interface. This is true for SOME code versions but not all. In 8.2(2), both nat 0 and identity nat are bidirectional and function identically.
Now, one key difference between these two (which sounds related to you scenario) is the order in which they are processed. nat 0 is processed before all static nat entries. Static nat is processed in the order in which the entries are added.
02-16-2012 12:18 AM
Static command serves bi directional in logic while all other nat commands are uni directional !
Kamran
Sent from Cisco Technical Support iPad App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: