Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 9.0(2) Problem with twice nat

Good afternoon Community,

i have this problem while natting source and destination using twice NAT of a bi-directional flow:

Placing a new NAT line in 1st position (bolded line in the follow example) the NAT works fine both for source and destination.

Placing the same line in any other position this is what happend:

- It works correctly for both source and destination NAT only when the source of the flow is the host from the outside interface.

- If the flow is inizialized from the inside host, the nat works just for the source host and not for the destination.

I'm going crazy with this

Many thanks in advance and have a nice day

#show run nat:

nat (inside,outside) source static obj-10.123.130.7 obj-94.x.x.x destination static obj-192.168.153.1 obj-213.x.x.x

nat (inside,dmz) source static obj-10.123.130.0 obj-10.199.16.0

nat (dmz,inside) source dynamic obj-172.16.26.0 obj-10.123.128.2 destination static obj-217.x.x.x obj-217.x.x.x

nat (outside,inside) source dynamic obj-170.248.38.122 obj-10.123.128.2 destination static obj-217.x.x.x obj-217.x.x.x

nat (dmz,inside) source dynamic obj-10.180.116.0 obj-10.123.128.2 destination static obj-10.123.143.0 obj-10.123.143.0

nat (dmz,inside) source dynamic obj-172.16.181.96 obj-10.123.128.8 destination static obj-10.199.21.153 obj-10.123.134.153

nat (dmz,inside) source dynamic obj-192.168.10.96 obj-10.123.128.9 destination static obj-10.199.21.153 obj-10.123.134.153

nat (dmz,inside) source dynamic obj-10.182.0.0 obj-10.123.128.3 destination static obj-10.199.16.0 obj-10.123.130.0

nat (outside,inside) source dynamic obj-144.x.x.x obj-10.123.128.3 destination static obj-94.x.x.x obj-10.123.130.0

nat (outside,inside) source dynamic obj-170.x.x.x obj-10.123.128.3 destination static obj-94.x.x.x obj-10.123.130.0

nat (dmz,inside) source dynamic obj-10.182.0.0 obj-10.123.128.3 destination static obj-217.x.x.x obj-217.x.x.x

nat (dmz,inside) source dynamic obj-10.180.116.0 obj-10.123.128.2 destination static obj-217.x.x.x obj-217.x.x.x

nat (dmz,inside) source dynamic obj-172.16.10.0 obj-10.123.128.2 destination static obj-10.123.143.0 obj-10.123.143.0

nat (dmz,inside) source dynamic obj-172.16.10.0 obj-10.123.128.2 destination static obj-10.123.134.0 obj-10.123.134.0

nat (dmz,inside) source dynamic obj-10.180.112.0 obj-10.123.128.2 destination static obj-10.123.143.0 obj-10.123.143.0

nat (dmz,inside) source dynamic obj-172.16.238.216 obj-10.123.128.2 destination static obj-10.123.128.0 obj-10.123.128.0

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Green

ASA 9.0(2) Problem with twice nat

When you say that you place the NAT anyhwere else, then I suppose the following line is in number 1 position?

nat (inside,dmz) source static obj-10.123.130.0 obj-10.199.16.0

I am suspecting that this line could be what is causing your issues.  You could try to place this one at the bottom of the list and then place the new line somewhere in the middle and see if it works as expected.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
Super Bronze

Re: ASA 9.0(2) Problem with twice nat

Hi,

This probably is not a bug. But then again I can't quite explain or understand the exact cause of the problem.

But I would say the "nat" configuration that is causing problems for you is this command

nat (inside,dmz) source static obj-10.123.130.0 obj-10.199.16.0

The reason is most likely the fact that is has no "destination" parameters defined so the ASA will apply it to "any" destination address.

The moment where i get lost is why would the packet match the above "nat" rules "destination" of "any" and then completely ignore its "source" translation parameters?

I actually tried to look at this situation earlier on my own firewall but still couldnt quite grasp it.

I would assume that if I could read the output of the command "show nat divert-table" command properly I could determine the cause of what you are seeing. Maybe even some document might explain this or naturally someone from Cisco.

In the mean time I would suggest the following to correct this situation.

  • Change the above mentioned Identity NAT configuration to Static Policy NAT

What I mean with the above is that you define the exact networks behind "dmz" under an "object-group" and define those as the "destination" parameter of the current "nat" rule that you see above. I would presume that this would cause the ASA to ignore that rule and move on to the actual rule you want to match even if it was located at the end of the NAT configurations you have above.

  • Keep this new NAT rule you have at the top of the NAT configurations.

Just keep the new NAT rule at the top so it gets matched properly

Hope this helps

- Jouni

4 REPLIES
New Member

ASA 9.0(2) Problem with twice nat

no one can explain this strange behavior?

might be a bug on asa version?

please help me.

VIP Green

ASA 9.0(2) Problem with twice nat

When you say that you place the NAT anyhwere else, then I suppose the following line is in number 1 position?

nat (inside,dmz) source static obj-10.123.130.0 obj-10.199.16.0

I am suspecting that this line could be what is causing your issues.  You could try to place this one at the bottom of the list and then place the new line somewhere in the middle and see if it works as expected.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
Super Bronze

Re: ASA 9.0(2) Problem with twice nat

Hi,

This probably is not a bug. But then again I can't quite explain or understand the exact cause of the problem.

But I would say the "nat" configuration that is causing problems for you is this command

nat (inside,dmz) source static obj-10.123.130.0 obj-10.199.16.0

The reason is most likely the fact that is has no "destination" parameters defined so the ASA will apply it to "any" destination address.

The moment where i get lost is why would the packet match the above "nat" rules "destination" of "any" and then completely ignore its "source" translation parameters?

I actually tried to look at this situation earlier on my own firewall but still couldnt quite grasp it.

I would assume that if I could read the output of the command "show nat divert-table" command properly I could determine the cause of what you are seeing. Maybe even some document might explain this or naturally someone from Cisco.

In the mean time I would suggest the following to correct this situation.

  • Change the above mentioned Identity NAT configuration to Static Policy NAT

What I mean with the above is that you define the exact networks behind "dmz" under an "object-group" and define those as the "destination" parameter of the current "nat" rule that you see above. I would presume that this would cause the ASA to ignore that rule and move on to the actual rule you want to match even if it was located at the end of the NAT configurations you have above.

  • Keep this new NAT rule you have at the top of the NAT configurations.

Just keep the new NAT rule at the top so it gets matched properly

Hope this helps

- Jouni

New Member

Re: ASA 9.0(2) Problem with twice nat

Hi all

thank you very much for this solution

I moved the line:nat (inside, dmz) source static obj-obj-10.123.130.0 10.199.16.0

in the automatic nat under the network object

and now I can move the line as I want without losing the properties of the source and destination nat.

Remains to be seen how that line:nat (inside, dmz) source static obj-obj-10.123.130.0 10.199.16.0
would interfere with the flow of traffic destined to different interfaces compared to nat (inside,outside) source static obj-10.123.130.7 obj-94.x.x.x destination static obj-192.168.153.1 obj-213.x.x.x

Best regards

-emanuele

297
Views
0
Helpful
4
Replies
CreatePlease login to create content