Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2266
Views
11
Helpful
3
Replies

Cisco ASA 8.3 - NAT and Matching Global Statements

Dhananjeyan Kaneshayogan
Level 1
Level 1

‎10-04-2012 08:41 AM - edited ‎03-11-2019 05:04 PM

I have a Cisco ASA running 8.2 in routed mode.

The ASA has three interfaces, inside, outside and DMZ. They connect to the following three networks:

Inside: 10.1.1.0/24

Outside: 10.1.2.0/24

DMZ: 100.1.1.0/24

I have the following dynamic PAT configuration:

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 100.1.1.1

nat control is turned off.

By my understanding any traffic from the inside to outside interface will be PATted to 100.1.1.1. However, communications between inside and the DMZ will not be PATted, and should work with no problems.

This seems to be corroborated by this document:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/no.html#wp1756533

Which states:

"The adaptive security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues."

EDIT:

I may have misunderstood the above statement.

I found this guide to configuring NAT/PAT:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_dynamic.html#wp1078939

It states:

"When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group of addresses when they access any lower or same security level interface; you must apply a global command with the same NAT ID on each interface, or use a static command. NAT is not required for that group when it accesses a higher security interface because to perform NAT from outside to inside you must create a separate nat command using the outside keyword. If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected."

Bit sneaky to not add this as a caveat in the configuration guide.

/EDIT

My problem is that packet tracer does not seem to bear me out. It tells me the packet is dropped due to "no matching global" when I source traffic from the inside interface and send it to the DMZ.

Does anyone have any ideas as to why this is? It seems odd that you'd have to configure nat exemption to communicate to every single other interface just to facilitate PAT between one interface pair.

Thanks.

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-04-2012 09:23 AM

Hello Dhananjean,

"

The adaptive security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues"

That is correct but in this case a packet comming from the inside subnet (10.1.1.0 /24) will match the nat (inside) 1..

Do you understand what I mean?

So of course the packet will be denied because of the no matching global

Place a global (dmz) 1 interface or create a identity nat if you do not want to nat the inside subnet when they go to the DMZ area.

Any other question..Sure.. Just remember to rate all of my answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dhananjeyan Kaneshayogan
Level 1
Level 1
In response to Julio Carvajal

‎10-04-2012 10:53 AM

I understand what you mean, but consider a NAT statement that matches say a /25 of the connected subnet. What do you reckon would happen there?

Anyway, I have tested what I've mentioned in the edited section of my previous post and it's correct. If you decrease the security level of the interface the traffic originates from (inside in this case) and try to pass traffic to DMZ then packet tracer will still complain about "no matching global" but the traffic will pass.

Cisco really need to make the deal with security levels and PAT more visible on the command references instead of burying it in a configuration guide somewhere.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Dhananjeyan Kaneshayogan

‎10-04-2012 11:01 AM

Good you understand.. Hope more than 1 star as the rate.

but consider a NAT statement that matches say a /25 of the connected subnet. What do you reckon would happen there?

Then the subnet going to the DMZ out of the /25 netmask will be able to go ( NO need for a global)

I mean cisco mention that all over the place.... Well at least you know how it works now

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card