NAT clarification

Unanswered Question
Mar 4th, 2010

Hi,

    I have the following configurations in my ASA.

static (outside,inside) 10.6.25.2 192.168.0.20 netmask 255.255.255.255
access-list outside_pat extended permit ip any host 10.6.25.2
access-list inside_nat0_outbound extended permit ip host 1.1.1.1  10.6.25.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list  outside_pat
global(outside) 1 interface

outside interface address  is 2.2.2.2

We have a tunnel set up in this ASA and the remote  Host   is 192.168.0.20

----------------------

1.1.1.1(source)  10.6.25.2 (destination)  -- when it reaches the inside interafce. WHat would be the translated packets's source and destination when it leaves outside interface

I have read that  nat 0 access-list has the highest priority   will not process any other NAt rules. But  it seems that it is not the  case here.

Thank you very mych in advance for giving some ideas on this!!!!!

Regards

Jithesh K Joy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 03/04/2010 - 10:35

jitheshkjoy wrote:

Hi,

    I have the following configurations in my ASA.

static (outside,inside) 10.6.25.2 192.168.0.20 netmask 255.255.255.255
access-list outside_pat extended permit ip any host 10.6.25.2
access-list inside_nat0_outbound extended permit ip host 1.1.1.1  10.6.25.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list  outside_pat
global(outside) 1 interface

outside interface address  is 2.2.2.2

We have a tunnel set up in this ASA and the remote  Host   is 192.168.0.20

----------------------

1.1.1.1(source)  10.6.25.2 (destination)  -- when it reaches the inside interafce. WHat would be the translated packets's source and destination when it leaves outside interface

I have read that  nat 0 access-list has the highest priority   will not process any other NAt rules. But  it seems that it is not the  case here.

Thank you very mych in advance for giving some ideas on this!!!!!

Regards

Jithesh K Joy

Jitesh

The src IP should remain as 1.1.1.1

the dest IP should be changed to 192.168.0.20

Jon

Jithesh K Joy Thu, 03/04/2010 - 11:03

Hi John,

        Thank you very much for your swift response.

But it  seems that PAT is also working here and the source is getting natted to outiside interface IP 2.2.2.2.   My packet tracer output shows like this. Could you please share with me some doucuments if you have any which is useful for understanding this  static ( outside , inside) and why the  nat 0 access-list is not invoked ?

Is it because of the fact that nat 0 access-list is not applied since there is a destination nat happend due to static (outside,inside) 10.6.25.2 192.168.0.20 netmask 255.255.255.255

I appreciate your input on this.

Jon Marshall Thu, 03/04/2010 - 11:41

Jitesh

Have just looked at your config again -

access-list outside_pat extended permit ip any host 10.6.25.2
access-list inside_nat0_outbound extended permit ip host 1.1.1.1  10.6.25.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list  outside_pat
global(outside) 1 interface

What i dn't notice the first time is that both acls are for destination 10.6.25.x with outside_pat acl being more specific ie. it references 10.6.25.2 specifically.

Why are you doing this ?  What happens if you change the inside_nat0_outbound acl to -

access-list inside_nat0_outbound permit ip host 1.1.1.1 host 10.6.25.2

if you do the above test make sure you clear the existing translations in the xlate table.

The issue you are having has nothing to do with the static (outside,inside) ... statement as far as i can see.

Jon

AnujPratap Thu, 03/04/2010 - 20:54

From the inside interface source will be 1.1.1.1 and dest. will be 10.6.25.2 and will change to 192.168.0.20
Below are the configuration firewall will check for this access.

Step 1:

access-list outside_pat extended permit ip any host 10.6.25.2

Step 2:

access-list inside_nat0_outbound extended permit ip host 1.1.1.1  10.6.25.0 255.255.255.0

Step 3:

static (outside,inside) 10.6.25.2 192.168.0.20 netmask 255.255.255.255

And yes as per the Jon you can try with more specific ACL's also.

access-list outside_pat extended permit ip host 1.1.1.1 host 10.6.25.2
!
access-list inside_nat0_outbound extended permit ip host 1.1.1.1  10.6.25.2 255.255.255.255

Anuj Pratap

ashish_kandari Thu, 03/04/2010 - 18:50

Point

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip host 1.1.1.1 10.6.25.0 255.255.255.0

Means Source 1.1.1.1 to 10.6.25.0 ( no nat)

But it is givcen like this :

static (outside,inside) 10.6.25.2 192.168.0.20 netmask 255.255.255.255

Means Packet from Inside to Outside , and destination will be 10.6.25.2---- it will convert into 192.168.0.20.

So Now Source will be 1.1.1.1 destination will be 192.168.0.20.

nat (inside) 1 access-list outside_pat

global(outside) 1 interface

outside interface address is 2.2.2.2

access-list outside_pat extended permit ip any host 10.6.25.2

From any other source(other than 1.1.1.1) to 10.6.25.2 then

Source Will be 2.2.2.2 to destination 192.168.0.20

Traffic will not hit to this ACL as NAT 0 has higher priority than other traffic.

Actions

This Discussion