cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
836
Views
0
Helpful
5
Replies

Nat 0 vs static NAT

victor_87
Level 1
Level 1

We have a cisco 5510 connected to a LAN segment with a cisco 6500 and multiple vlan's. and using Class B address range.

We have a NAT device (Non-cisco product ) on top of the Cisco ASA-5510 handling all the static and Dynamic NAT.

We have lots of internet users and about 50-60 servers all in the Lan segment.

since the ASA is not doing the NAT i can use

nat (inside) 0 172.16.0.0 255.255.0.0

to exempt all traffic from NAT right??

but when i do this i am having issues accessing a few servers from the outside that have been Static NAT on my NAT device. ( this is the problem only with few servers, all others are fine and normal internet users also have no issues to the best of my knowledge).

I have found a remedy by using something like

static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

Everything is working perfect with this instead of the "NAT 0"

What could be causing the access issue with NAT 0.

5 Replies 5

celiocarreto
Level 1
Level 1

Hi,

the reason is that nat0() will only work from inside to outside. When an inside-server opens a connection to outside, the asa "knows" the server and have an entry in the NAT table.

If the server do not access the outside world, the asa do not "know" the server.

Your static NAT make a permanent entry into the NAT table.

I had this Problem with a client, that wanted to use public IPs inside the ASA. Only when the server has opened a connection an inbound connection was successful. With the "fake" NAT everything is fine.

Regards, Celio

Probably u didn't get me, traffic i mentioned is moving from inside to Outside itself.

Ok thanku i got my solution

nat (inside) 0 172.16.0.0 255.255.0.0

this is IDENTITY NAT (allowed only from inside to outside,) connections cannot be initiated from outside to inside

nat (inside) 0 access-list test

access-list test ext permit ip 172.16.0.0 255.255.0.0 any

This is NAT EXEMPTION

This allows connections to be initiated from outside to inside.

I think everyone must understand the difference between the two, they appear so similar.

Unfortunately it's not that simple.   While the configurations are similar in the sense that they can both perform NAT exemption, identity NAT (via a static) enters a permanent entry in the xlate table whereas the NAT 0 does not create an entry in the xlate table but DOES add entries to the NAT table from the interface listed in the nat 0 command to all equal or lower security level interfaces. 

Your assumptions are incorrect...at least partially.   The Cisco documentation ( the Cisco ASA and PIX Firewall Handbook) states that with a nat 0 configuration, traffic must be initiated from the higher security level interface before traffic will be allowed in from the lower security level interface.   It goes in to state that identity NAT via a static is bidirectional and traffic can be initiated from either interface.  This is true for SOME code versions but not all.  In 8.2(2), both nat 0 and identity nat are bidirectional and function identically. 

Now, one key difference between these two (which sounds related to you scenario) is the order in which they are processed. nat 0 is processed before all static nat entries.  Static nat is processed in the order in which the entries are added. 

game123
Level 1
Level 1

Static command serves bi directional in logic while all other nat commands are uni directional !

Kamran

Sent from Cisco Technical Support iPad App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: