Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 9.1 (3) 2 NAT questions

Hi all, have a few questions on the new version of Natting, post ASA version 8.2 which is what I am familiar with.
I have a new 5525x firewall running ASA version 9.1(3)2 that I am setting up, and I have a basic grasp on the new NAT config, but I have a few questions on it.  I have searched, but am not getting exactly the answer to my situation.
First, I have an internal host set up with a NAT statement, as below:

object network test-srv
 host 10.1.1.1
 nat (inside,outside) static 1.1.1.1

Inbound access to this host works prefectly to the static IP set up by the NAT statement.  However, outbound access from this server is hitting the Dynamic/Auto NAT statement, and is being Natted to the general Outside interface IP Address.  I want outbound traffic from this server to any destination IP on the Internet to be Natted to the IP Address in the Static statement above (1.1.1.1).  What is the best way to accomplish this?

Second, can the 'test-srv' parameter defined in the 'object network test-srv' (from example above) be used in the ACLs, or do I also need to use the 'name 10.1.1.1 test-srv' command?

Thanks!

 

***Edit- adding a third question

For a l2l VPN, specifically the ACL portion of it... we are natting our traffic to the outside interface IP Address, using the ASA outside interface IP Address defined by the Auto NAT config.  How should the crypto ACL read?

either

access-list l2l-vpn extended permit ip host <public Natted IP Address> <remote side host IP Address>

or

access-list l2l-vpn extended permit ip <internal subnets on our side> <remote side host IP Address>

I am used to defining the ACL by allowing the internal IPs/subnets that are traversing the tunnel, but I have a feeling that now, I have to specify the outside IP in the ACL.

Thanks!

5 REPLIES
New Member

1. this config should be bi

1. this config should be bi-directional, could you post "show nat detail" ?

2. yes

3. not quite understand what you mean, but if this acl is for vpn interesting traffic, it should be real(before nat) ip.

New Member

Thanks for the reply. 1) ASA

Thanks for the reply. 

1) 

ASA-5525X# sh nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface   dns
    translate_hits = 80223, untranslate_hits = 50641
    Source - Origin: 0.0.0.0/0, Translated: 81.144.136.129/27
2 (DMZ) to (outside) source dynamic any interface   dns
    translate_hits = 72611, untranslate_hits = 14109
    Source - Origin: 0.0.0.0/0, Translated: 1.1.1.2/27

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static test-srv 1.1.1.1
    translate_hits = 0, untranslate_hits = 995
    Source - Origin: 10.1.1.1/32, Translated: 1.1.1.1/32
2 (any) to (any) source static Test TEST-EXT
    translate_hits = 0, untranslate_hits = 18205
    Source - Origin: 10.1.1.2/32, Translated: 1.1.1.3/32

Looking at the Auto-NAT section, #1, the server's inbound traffic is getting translated, but not the outbound (initiation) traffic.

3) Thanks, I've had a few discussions with colleagues that told me that the ACL should cover the IP Address post-Natting, which will be the public IP Address.  I am familiar with the ACL reflecting the real (before NAT) IP.

Cisco Employee

jeleinweber  has it right.

jeleinweber  has it right. Your outbound connections from that server are hitting rule #1 of your Manual NAT policy section, so they are translated dynamically to the outside interface.

 

Inbound connections destined to the global ip of 1.1.1.1 on the outside match Rule #1 in the Auto-NAT policy area (section 2). Thats is what is causing the asymmetry in your NAT'ing.

 

If you want to fix this, remove the object nat rule and configure a new object nat rule at the top of the table for this server:

ASA(config-t)# nat (inside,outside) 1 source static test-srv-in-1 obj-1.1.1.1

 

 

In the brave new post 8.4 NAT

In the brave new post 8.4 NAT world, the phase II object NAT rules are sorted by Cisco and the first Cisco match wins.  Normally the static mappings are sorted ahead of the dynamic ones, so I'm puzzled by your test-srv behavior.   If we could see more of the configuration we might be able to figure it out.

Your followup post clarifies it: your dynamic mappings were phase I (twice nat), which preceded phase II.   Personally, I like phase II for my dynamic subnet mappings as well as for my individual host static mappings.

In any case, a workaround is to use a phase I "twice NAT" rule, e.g.

object network test-srv-in-1

   host 10.1.1.1

object network test-srv-out-1

   host 1.1.1.1

nat (inside,outside) source static test-srv-in-1 test-srv-in-1 destination static test-srv-out-1 test-srv-out-1

Phase I rules are evaluated in order of appearance, so you would have to put this before your subnet dynamic rule.

For IPsec tunnels I have, I had to evade my phase II dynamic mappings with a phase I identity NAT rule, e.g.

object network inside-nat0

 subnet 192.168.10.0 255.255.255.0

object-group network remote-lans-nat0

  network-object 10.1.0.0 255.255.0.0

  network-object 172.12.2.0 255.255.255.0

nat (inside,outside) source static inside-nat0 inside-nat0 destination static remote-lans-nat0 remote-lans-nat0

Depending on your topological complexity you may or may not need no-proxy-arp and/or route-lookup keywords; in my case I needed both.

All of your ACL's use the "real", on-link inside addresses, not the mapped outside addresses.  In contemporary Cisco firmware, NAT mapping and unmapping happens very early, prior to ACL evaluation.

I'm not sure about 9.1 series firmware, but some folks have run into bugs related to re-using network objects in different contexts on some post 8.4 firmwares, so the paranoid among us are still defining multiple network object names with the same contents to be used separately for static NAT, dynamic NAT, and ACL purposes.

 

-- Jim Leinweber, WI State Lab of Hygiene

New Member

Thanks for the reply Jim!  So

Thanks for the reply Jim!  So now I am even more confused... not through any lack of explanation from you, rather only from my own ignorance on this topic.  So I guess I have two follow-up questions, if you have time:
1) What is the difference between the phase 1 and phase 2 NAT sections?  Phase 1 is titled as Manual NAT... wouldn't my object network statement:
object network test-srv
 host 10.1.1.1
 nat (inside,outside) static 1.1.1.1
Be a manual NAT statement?

2) You suggest that you prefer phase 2 for dynamic subnet mappings... how should we configure this?  My understanding is that if the dynamic subnet mappings are phase 2, then would I add the 'after-auto' command to my 'nat (inside,outside) source dynamic any interface dns' command?  Also, if both the dynamic subnet mappings as well as the individual host static mappings are both in phase 2, how do I change/set the order of NAT operation within this phase?  I will always want individual host static mappings to happen before the dynamic subnet mapping.
If you have any good reference for this portion of the NAT config, I'd appreciate it.  Clearly I have more reading to do on this topic.  Thanks again!

 

***EDIT*** Disregard my above questions, I found a good resource to explain it, and I get it now.  I just changed my Auto NAT to come after-auto (Stage 3), and now I am getting the desired NAT behavior.  Not sure if this is the cleanest way to do it... 

1004
Views
5
Helpful
5
Replies
CreatePlease to create content