Solved: Re: ASA 8.4 Twice Nat question

Fedor.Malikh · ‎10-28-2013

Hello,

I have a question concerning twice NAT.

Lets assume that we have the following construction:

nat (Inside,Outside) source dynamic Real.Source Translated.Source destination static Real.Destination object network Translated.Destination

My question is how ASA does routing lookups.

When ASA has no route to Translated.Destination and has route to Real.Destination I have route lookup fail error.

When ASA has no route to Real.Destination and has a route to Translated.Destination the translation does work. But how does ASA know that the packet before translation matches (inside,outside) direction if it doesn't have a route to the Real.Destination?

Seems like ASA just looks if a packet matches Real.Source and Real.Destination in a NAT rule, then makes translation and after that routing lookup.

Please let me know if there is any additional information on this topic available.

Thank you.

Jouni Forss · ‎10-29-2013

Hi,

The correct format for the NAT configuration would be

nat (sourceint,destinationint) source dynamic destination static

In your above example you have the destination address the wrong way around. You can check this with the question mark "?" when your at that point of the command.

For example

ASA(config)# nat (LAN,WAN) source dynamic REAL MAPPED destination static ?

configure mode commands/options:

WORD Specify object or object-group name for mapped destination

interface Specify interface overload

I am afraid that the whole subject about Routing and using the NAT to determine the egress interface is also still a bit confusing especially because of the different behaviour we see depending on the software. Some of the operation seems to me to be undocumented and some just described wrong in the document or I just dont understand the logic behind them. ( I even checked one of the latest 9.x documents)

But if you are running some latest software level of 8.4(x) or a 9.x series software the following will probably apply to you situation.

If the destination address for the connection incoming to the ASA has a translation (mapped destination) THEN the NAT configuration will determine which interface will be chosen as the destination/egress interface. If no destination parameters are configured then the ASA will refer to its routing table to and then match the correct NAT configuration.

Example:

I have a "nat" configuration that Identity NAT for all the destination addresses for a single LAN host towards the WLAN interface. When I try connections to any destination address with the help of "packet-tracer" command I see the above happening

nat (LAN,WLAN) source static HOST HOST destination static ALL ALL

ASA(config)# packet-tracer input LAN tcp 10.0.0.200 12345 1.1.1.1 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WLAN) source static HOST HOST destination static ALL ALL

Additional Information:

NAT divert to egress interface WLAN

Untranslate 1.1.1.1/80 to 1.1.1.1/80

So as you can see there is no route lookup for this connection. The connections destination address matches the NAT rule and gets diverted because of the configuration.

Then I add the same "nat" configuration with "route-lookup" configuration (Can only be used with Identity NAT) and then we see a route lookup happen.

nat (LAN,WLAN) source static HOST HOST destination static ALL ALL route-lookup

ASA(config)# packet-tracer input LAN tcp 10.0.0.200 12345 1.1.1.1 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 WAN

So as we can see since the destination address of our "packet-tracer" didnt match the "nat" configuration after the route lookup then the "nat" configuration will not be applied and this connection would be forwarded out of my "WAN" interface with one of my basic Dynamic PAT configurations.

With other NAT types other than Identity NAT you wont be able to use the "route-lookup" parameter. Though it seems that in the newer software levels the "destination static" portion of the "nat" configuration will have to ability to choose the egress interface of any connection while this was not true in the older softwares.

All the above might be confusing and I am not sure if I can still explain it correctly myself.

I have written a NAT document here on the Cisco Support Community that you can find here

https://supportforums.cisco.com/docs/DOC-31116

Though it still a work in progress and only contains some basic information. Topics such as this is something that would require a lot more time for me to go through. There is still a lot of content that should end up into that document but it all depends on when I get the time and motivation to work on it. Considering my current situation at work it might be hard to get anything done for atleast couple of months.

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎10-29-2013

Hi,

To my understanding you will only need to have a route for the real destination IP address.

The traffic flow and NAT can be pretty confusing at times and I don't always get then right.

When you have mapped the destionation network what essentially happens is

Some route which is probably the default route forwards the traffic from some internal router or the host to the firewall
Firewall matches the destination IP address to be a mapped IP address in its NAT configurations and therefore performs an UN-NAT to it. Essentially it untranslates the destination IP address to the real destination IP address (of which the connecting host has no idea naturally)
Firewall also matches the source address for the translation and performs NAT for it

Most of the time when your building special NAT configurations towards your "outside" interface you wont really have to worry about the routing as this interface probably already holds the default route. In cases where the destination interface is something else you will probably have to resort to adding a route.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more though

- Jouni

View solution in original post

Jouni Forss · ‎10-29-2013

Hi,

The correct format for the NAT configuration would be

nat (sourceint,destinationint) source dynamic destination static

In your above example you have the destination address the wrong way around. You can check this with the question mark "?" when your at that point of the command.

For example

ASA(config)# nat (LAN,WAN) source dynamic REAL MAPPED destination static ?

configure mode commands/options:

WORD Specify object or object-group name for mapped destination

interface Specify interface overload

I am afraid that the whole subject about Routing and using the NAT to determine the egress interface is also still a bit confusing especially because of the different behaviour we see depending on the software. Some of the operation seems to me to be undocumented and some just described wrong in the document or I just dont understand the logic behind them. ( I even checked one of the latest 9.x documents)

But if you are running some latest software level of 8.4(x) or a 9.x series software the following will probably apply to you situation.

If the destination address for the connection incoming to the ASA has a translation (mapped destination) THEN the NAT configuration will determine which interface will be chosen as the destination/egress interface. If no destination parameters are configured then the ASA will refer to its routing table to and then match the correct NAT configuration.

Example:

I have a "nat" configuration that Identity NAT for all the destination addresses for a single LAN host towards the WLAN interface. When I try connections to any destination address with the help of "packet-tracer" command I see the above happening

nat (LAN,WLAN) source static HOST HOST destination static ALL ALL

ASA(config)# packet-tracer input LAN tcp 10.0.0.200 12345 1.1.1.1 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WLAN) source static HOST HOST destination static ALL ALL

Additional Information:

NAT divert to egress interface WLAN

Untranslate 1.1.1.1/80 to 1.1.1.1/80

So as you can see there is no route lookup for this connection. The connections destination address matches the NAT rule and gets diverted because of the configuration.

Then I add the same "nat" configuration with "route-lookup" configuration (Can only be used with Identity NAT) and then we see a route lookup happen.

nat (LAN,WLAN) source static HOST HOST destination static ALL ALL route-lookup

ASA(config)# packet-tracer input LAN tcp 10.0.0.200 12345 1.1.1.1 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 WAN

So as we can see since the destination address of our "packet-tracer" didnt match the "nat" configuration after the route lookup then the "nat" configuration will not be applied and this connection would be forwarded out of my "WAN" interface with one of my basic Dynamic PAT configurations.

With other NAT types other than Identity NAT you wont be able to use the "route-lookup" parameter. Though it seems that in the newer software levels the "destination static" portion of the "nat" configuration will have to ability to choose the egress interface of any connection while this was not true in the older softwares.

All the above might be confusing and I am not sure if I can still explain it correctly myself.

I have written a NAT document here on the Cisco Support Community that you can find here

https://supportforums.cisco.com/docs/DOC-31116

Though it still a work in progress and only contains some basic information. Topics such as this is something that would require a lot more time for me to go through. There is still a lot of content that should end up into that document but it all depends on when I get the time and motivation to work on it. Considering my current situation at work it might be hard to get anything done for atleast couple of months.

Hope this helps

- Jouni

Fedor.Malikh · ‎10-29-2013

Hi Jouni,

First of all let me thank you for such a detailed answer.

NAT statement is indeed:

nat (sourceint,destinationint) source dynamic destination static

In my opinion those destinations are confusing.

I read it this way: if a packet goes from interface and it's source address belongs to and destination of the packet is <mapped destination (that's weird)> then:

is translated to

For a incoming packet that is it's untranslated destination and that's why I called it Real.Destination in my example.

So if I have a packet coming from inside:

Source :1.1.1.1; Destination:2.2.2.2

and I want it to be translated and forwarded to outside with:Source: 1.1.1.2; Destination:2.2.2.3

Then I must have a route only to 2.2.2.3 pointing outside?

Thanks again.

Jouni Forss · ‎10-29-2013

Hi,

To my understanding you will only need to have a route for the real destination IP address.

The traffic flow and NAT can be pretty confusing at times and I don't always get then right.

When you have mapped the destionation network what essentially happens is

Some route which is probably the default route forwards the traffic from some internal router or the host to the firewall
Firewall matches the destination IP address to be a mapped IP address in its NAT configurations and therefore performs an UN-NAT to it. Essentially it untranslates the destination IP address to the real destination IP address (of which the connecting host has no idea naturally)
Firewall also matches the source address for the translation and performs NAT for it

Most of the time when your building special NAT configurations towards your "outside" interface you wont really have to worry about the routing as this interface probably already holds the default route. In cases where the destination interface is something else you will probably have to resort to adding a route.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more though

- Jouni

Fedor.Malikh · ‎10-29-2013

Hi Jouni,

I've built this in GNS3, with minimal routing configured

objects:

real.source
192.168.1.1

mapped.source
7.7.7.7

mapped.destination
1.1.1.1
2.2.2.2
3.3.3.3

real.destination
10.10.1.1
10.20.1.1
10.30.1.1

nat (inside,outside) source dynamic real.source mapped.source destination static mapped.destination real.destination

It does require routes for real.destination hosts only.

No routes for mapped.destination hosts are required.

That's completely different from IOS Routers

I think that's enough of NAT'ing investigations for me

Thank you.