How to NAT by default with exceptions (ASA)

Scott Cannon · ‎05-19-2010

Hi Guys,

I have an ASA 5510 (OS 7.0.2) that seperates a remote access subnet from a ecommerce subnet.

What I want to implement is configuration that says, by default, NAT from the remote access subnet is not required however some specific addresses need to be NAT'd.

I am thinking of implementing the following confg but I'm not certain it will work and I do not have a test environment to test in:

! By default, traffic is NAT'd to 1.1.1.1

nat (remote_access_if) 1 0.0.0.0 0.0.0.0

global (ecommerce_subnet_if) 1 1.1.1.1

! Specified traffic not to NAT

access-list NAT_EXCEPTIONS extended permit ip and 10.1.1.0 255.255.255.0

access-list NAT_EXCEPTIONS extended permit ip and 10.1.2.0 255.255.255.0

! Do not NAT specified traffic

nat (remote_access_if) 2 access-list NAT_EXCEPTIONS

global (ecommerce_subnet_if) 2 0.0.0.0

My fear is this will NAT traffic I dont want NAT'd to 0.0.0.0.

Can anyone confirm if my config suitable to meet my objectives?

TIA

Rgds

Scott

Jennifer Halim · ‎05-20-2010

NAT exemption (NAT 0 with ACL) takes precedence over the dynamic NAT, hence you can't configure a generic ACL with the whole subnet to be exempted.

global (ecommerce_subnet_if) 2 0.0.0.0 ---> this is incorrect statement. You can't configure global with 0.0.0.0, and nat and global pair is actually configured to NAT the traffic.

If you can share the interface subnet of both remote and ecommerce as well as the security level configured for each interface, plus what ip you would like to NAT and to NAT it to what ip address, as well as what you do not want to NAT, then I can try to put something together if it is possible.

Scott Cannon · ‎05-20-2010

Hi Halijen,

Thanks for your response. I figured I'd have to list all the exceptions under nat 0, but there are quite a few so I'm hoping there is another way to do this.

Here is the detail you requested:

interface Ethernet0/2.1
nameif REMOTE

security-level 10
subnet: 192.168.1.0/24

By default, traffic should not be NAT'd coming from this interface, however there are some key IPs that I need to NAT (eg. 192.168.24.0/24 NAT'd to 1.1.1.1 and 172.16.1.0/24 NAT'd to 1.1.1.2)

interface Ethernet0/3.2
nameif ECOMMERCE
security-level 20
subnet: 1.1.1.0/24

If you know of a workaround I would really appreciate you sharing it with me.

Thanks in advance

Rgds

Scott

Jennifer Halim · ‎05-21-2010

OK, so you would like to NAT from low security level to high security level. And traffic is between 1.1.1.0/24 to 192.168.24.0/24 and 172.16.1.0/24

To start with, I assume you already have the following configured:

access-list ecommerce-nonat permit ip 1.1.1.0 255.255.255.0 192.168.24.0 255.255.255.0

access-list ecommerce-nonat permit ip 1.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (ECOMMERCE) 0 access-list ecommerce-nonat

In regards to what you would like to achieve, then you would need to add the following:

access-list remote-pat-1 permit ip 192.168.24.0 255.255.255.0 1.1.1.0 255.255.255.0

access-list remote-pat-2 permit ip 172.16.1.0 255.255.255.0 1.1.1.0 255.255.255.0

nat (REMOTE) 5 access-list remote-pat-1 outside

global (ECOMMERCE) 5 1.1.1.1

nat (REMOTE) 6 access-list remote-pat-2 outside

global (ECOMMERCE) 6 1.1.1.2

Hope that makes sense.

Scott Cannon · ‎05-25-2010

Hi Halijen,

I'm still a little confused. Perhaps you can answer another question for me that would help further my understanding.

Of the following 3 types of nat rules, what order does the ASA process them in? Ie. What has priority? Does a static rule take precedence over global rules?

Exception rule eg:

nat (if) 0 access-list list

global (if) 0 NAT_IP_address

Global Rules eg:

nat (if) # access-list list

global (if) # NAT_IP_address

Static Rules eg:

Static (if, NAT if) NAT_if source_IP netmask mask

I'm sure if I can better understand how the unit handles NAT I can ensure I'm asking and expecting the right questions/information.

Thanks in advance

Cheers

Scott

Federico Coto Fajardo · ‎05-25-2010

Scott,

The exception rule that you added is incorrect.

You only need the NAT statement. There's no global 0 statement for identity NAT.

The STATIC NAT rules take precedence over the dynamic NAT rules.

Look at the order of NAT precedence on the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1079279

Hope to help.

Federico.

Jennifer Halim · ‎05-26-2010

Federico is correct.

Here is the order of operation:

1) NAT 0 with ACL - NAT exemption

2) Static NAT

3) Dynamic NAT - nat/global pair

The above is correct for source NAT (traffic from high to low security level).

For destination NAT (ie: NATing traffic from low to high security level), for dynamic NAT, you would need to add the "outside" keyword, plus you also need to have source NAT as per my example earlier.

Scott Cannon · ‎05-26-2010

Thanks Gents. I will do some testing and let you know how I go

Rgds

Scott