8.3 static nat

Answered Question
Jul 13th, 2010

I ran into an issue after setting up a firewall with 8.3.  Hosts on the inside that have static translations to public IPs configured within their object network configuration are being PATd instead of using the static nat translation.  It's not until we setup a nat translation separate from the static nat within the object that hosts appeared as their public IPs instead of a PATd IP.  This was an issue for smtp relays, for example, needing a reverse DNS entry.  Here's is the config we used as a work around.

object network HBG-MARSHAL_172.21.4.67
nat (inside,outside) static 23.23.23.23

nat (inside,outside) source static HBG-MARSHAL_172.21.4.67 HBG-MARSHAL_23.23.23.23
nat (inside,outside) source dynamic obj-All_Networks interface

We put the translation above the PAT line, the last line and it works now, but based on my understanding of the following excerpt from the 8.3 admin guide, and my past experience with nat and the ASA, I shouldn't need that line, but maybe there's a nat precedence order I'm missing between object nat and the explicit nat like nat (inside,outside) source static HBG-MARSHAL_172.21.4.67  HBG-MARSHAL_23.23.23.23

"Static NAT creates a fixed translation of a real address to a mapped address. Because the mapped address
is the same for each consecutive connection, static NAT allows bidirectional connection initiation, both
to and from the host (if an access rule exists that allows it)."

The order of nat rules is explained as

"•Order of NAT Rules.
– Network object NAT—Automatically ordered in the NAT table.
– Twice NAT—Manually ordered in the NAT table (before or after network object NAT rules)."

thank you,

Bill

I have this problem too.
0 votes
Correct Answer by Andrew Ossipov about 6 years 4 months ago

Hello Bill,

Indeed, Twice NAT rules will be evaluated (first match) before Network Object NAT. This is why the PAT rule from Section 1 was taking precedence over the static NAT rule from Section 2.

Andrew

Correct Answer by kenrandrews about 6 years 4 months ago

I have not had much experience with the 8.3 version of NAT, but I found this on here:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1118157

By default Twice Nat is put before Network object NAT. However from the looks of it these are both Network Object rules in which case the the static should have been read first, but again I have not had much experience with 8.3. As far as I can tell you are right, but maybe the a, b, and c rules came into effect in your situation.

Table 26-2     NAT Rule Table

Table Section
Rule Type
Order of Rules within the Section

Section 1

Twice NAT

Applied on a first match basis, in the order they appear in the configuration. By default, twice NAT rules are added to section 1.

Note If you configure VPN, the client dynamically adds invisible NAT rules to the end of this section. Be sure that you do not configure a twice NAT rule in this section that might match your VPN traffic, instead of matching the invisible rule. If VPN does not work due to NAT failure, consider adding twice NAT rules to section 3 instead.

Section 2

Network object NAT

Section 2 rules are applied in the following order, as automatically determined by the adaptive security appliance:

1. Static rules.

2. Dynamic rules.

Within each rule type, the following ordering guidelines are used:

a. Quantity of real IP addresses—From smallest to largest. For example, an object with one address will be assessed before an object with 10 addresses.

b. For quantities that are the same, then the IP address number is used, from lowest to highest. For example, 10.1.1.0 is assessed before 11.1.1.0.

c. If the same IP address is used, then the name of the network object is used, in alphabetical order. For example, abracadabra is assessed before catwoman.

Section 3

Twice NAT

Section 3 rules are applied on a first match basis, in the order they appear in the configuration. You can specify whether to add a twice NAT rule to section 3 when you add the rule.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
kenrandrews Tue, 07/13/2010 - 09:12

I have not had much experience with the 8.3 version of NAT, but I found this on here:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1118157

By default Twice Nat is put before Network object NAT. However from the looks of it these are both Network Object rules in which case the the static should have been read first, but again I have not had much experience with 8.3. As far as I can tell you are right, but maybe the a, b, and c rules came into effect in your situation.

Table 26-2     NAT Rule Table

Table Section
Rule Type
Order of Rules within the Section

Section 1

Twice NAT

Applied on a first match basis, in the order they appear in the configuration. By default, twice NAT rules are added to section 1.

Note If you configure VPN, the client dynamically adds invisible NAT rules to the end of this section. Be sure that you do not configure a twice NAT rule in this section that might match your VPN traffic, instead of matching the invisible rule. If VPN does not work due to NAT failure, consider adding twice NAT rules to section 3 instead.

Section 2

Network object NAT

Section 2 rules are applied in the following order, as automatically determined by the adaptive security appliance:

1. Static rules.

2. Dynamic rules.

Within each rule type, the following ordering guidelines are used:

a. Quantity of real IP addresses—From smallest to largest. For example, an object with one address will be assessed before an object with 10 addresses.

b. For quantities that are the same, then the IP address number is used, from lowest to highest. For example, 10.1.1.0 is assessed before 11.1.1.0.

c. If the same IP address is used, then the name of the network object is used, in alphabetical order. For example, abracadabra is assessed before catwoman.

Section 3

Twice NAT

Section 3 rules are applied on a first match basis, in the order they appear in the configuration. You can specify whether to add a twice NAT rule to section 3 when you add the rule.

Correct Answer
Andrew Ossipov Tue, 07/13/2010 - 12:49

Hello Bill,

Indeed, Twice NAT rules will be evaluated (first match) before Network Object NAT. This is why the PAT rule from Section 1 was taking precedence over the static NAT rule from Section 2.

Andrew

WILLIAM STEGMAN Tue, 07/13/2010 - 12:58

So the only way to overcome this is the way we did it?  I'm curious if there are any other options anyone knows of.

Andrew Ossipov Tue, 07/13/2010 - 13:02

Hello Bill,

If you're using Network Object NAT, you would typically configure dynamic PAT from there; static NAT takes precedence over dynamic NAT/PAT and the address matching is done from more to less specific within that section. If you would prefer to leverage Manual NAT instead, then you would have to watch the order of the statements. Hopefully, this helps. Thanks!

Andrew

Actions

This Discussion