Cisco ASA 8.3 - NAT and Matching Global Statements

Unanswered Question
Oct 4th, 2012

I have a Cisco ASA running 8.2 in routed mode.

The ASA has three interfaces, inside, outside and DMZ. They connect to the following three networks:

Inside: 10.1.1.0/24

Outside: 10.1.2.0/24

DMZ: 100.1.1.0/24

I have the following dynamic PAT configuration:

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 100.1.1.1

nat control is turned off.

By my understanding any traffic from the inside to outside interface will be PATted to 100.1.1.1. However, communications between inside and the DMZ will not be PATted, and should work with no problems.

This seems to be corroborated by this document:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/no.html#wp1756533

Which states:

"The adaptive security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues."

EDIT:

I may have misunderstood the above statement.

I found this guide to configuring NAT/PAT:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_dynamic.html#wp1078939

It states:

"When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group of addresses when they access any lower or same security level interface; you must apply a global command with the same NAT ID on each interface, or use a static command. NAT is not required for that group when it accesses a higher security interface because to perform NAT from outside to inside you must create a separate nat command using the outside keyword. If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected."

Bit sneaky to not add this as a caveat in the configuration guide.

/EDIT

My problem is that packet tracer does not seem to bear me out. It tells me the packet is dropped due to "no matching global" when I source traffic from the inside interface and send it to the DMZ.

Does anyone have any ideas as to why this is? It seems odd that you'd have to configure nat exemption to communicate to every single other interface just to facilitate PAT between one interface pair.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 1 (1 ratings)
Julio Carvaja Thu, 10/04/2012 - 09:23

Hello Dhananjean,

"

The adaptive security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues"

That is correct but in this case a packet comming from the inside subnet (10.1.1.0 /24) will match the nat (inside) 1..

Do you understand what I mean?

So of course the packet will be denied because of the no matching global

Place a global (dmz) 1 interface or create a identity nat if you do not want to nat the inside subnet when they go to the DMZ area.

Any other question..Sure.. Just remember to rate all of my answers.

Julio

Dhana8888 Thu, 10/04/2012 - 10:53

I understand what you mean, but consider a NAT statement that matches say a /25 of the connected subnet. What do you reckon would happen there?

Anyway, I have tested what I've mentioned in the edited section of my previous post and it's correct. If you decrease the security level of the interface the traffic originates from (inside in this case) and try to pass traffic to DMZ then packet tracer will still complain about "no matching global" but the traffic will pass.

Cisco really need to make the deal with security levels and PAT more visible on the command references instead of burying it in a configuration guide somewhere.

Julio Carvaja Thu, 10/04/2012 - 11:01

Good you understand.. Hope more than 1 star as the rate.

but consider a NAT statement that matches say a /25 of the connected subnet. What do you reckon would happen there?

Then the subnet going to the DMZ out of the /25 netmask will be able to go ( NO need for a global)

I mean cisco mention that all over the place.... Well at least you know how it works now

Actions

Login or Register to take actions

This Discussion

Posted October 4, 2012 at 8:41 AM
Stats:
Replies:3 Avg. Rating:1
Views:1029 Votes:0
Shares:0
Tags: nat, pat, asa5585, asa_8.2
+

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446