Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
677
Views
0
Helpful
3
Replies

question about nat on asa v8.0 with same-security interfaces

mat_rouch
Level 1
Level 1

‎05-04-2012 10:06 AM - edited ‎03-11-2019 04:02 PM

I want to make sure I understand how the nat requirements work on asa v8.0 when inter-interface is set.  Background:

nat control is off.

same-security-traffic permit inter-interface is on.

"inside" and "MPLS" interfaces are both at security level 100.

"outside" is, of course, as security level 0.

The relevant config looks like this:

interface Ethernet0/0

nameif outside

security-level 0

ip address <public IP>

!

interface Ethernet0/1

no nameif

security-level 100

no ip address

!

interface Ethernet0/1.10

vlan 10

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

interface Ethernet0/1.20

vlan 20

nameif MPLS

security-level 100

ip address 192.168.3.1 255.255.255.0

access-list inside_nat0_outbound extended permit ip any Net-192.168.105.0 255.255.255.0

access-list MPLS_nat0_outbound extended permit ip any Net-192.168.0.105 255.255.255.0

global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 101 Net-192.168.0.0 255.255.0.0


nat (MPLS) 0 access-list MPLS_nat0_outbound
nat (MPLS) 101 Net-192.168.0.0 255.255.0.0

static (MPLS,outside) <public IP> <MPLS internal IP> netmask 255.255.255.255
static (inside,outside) <public IP> <inside internal IP> netmask 255.255.255.255

Am I correct in thinking that traffic will pass between inside (192.168.2.x)  and MPLS (192.168.3.x) in either direction with NO natting, assuming the access-groups assigned to the interfaces permit the traffic?

Thanks,

-Mathew

Labels:
0 Helpful
3 Replies 3

Maykol Rojas
Cisco Employee
Cisco Employee

‎05-04-2012 10:12 AM

Matt,

Nope, because in your Nat0 is not defined for those two networks, they will end up hitting the egular NAT inside that actually covers it and it will say no translation group found.

Mike

Mike
0 Helpful

mat_rouch
Level 1
Level 1
In response to Maykol Rojas

‎05-04-2012 11:10 AM

I had been under the impression that if there was no nat or static that matched it woul permit the traffic with no natting.

If I add one line:

access-list MPLS_nat0_outbound extended permit ip Net-192.168.0.0 255.255.0.0 Net-192.168.0.0 255.255.0.0

Should it work for traffic originating from either inside or MPLS?  Based on my packet-tracer output it appears that it should.

Thanks,

-Mathew

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to mat_rouch

‎05-04-2012 01:55 PM

Matt,

You are Totally right, however this Nat rule

nat (inside) 101 Net-192.168.0.0 255.255.0.0

Is a /16 Which will take 192.168.3.0, will use that NAT and then try to find a global for it. Now, If you add that ACL as part of your NAT0 configuration, that will do the trick.

Mike.

Mike
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card