Hi all, have a few questions on the new version of Natting, post ASA version 8.2 which is what I am familiar with. I have a new 5525x firewall running ASA version 9.1(3)2 that I am setting up, and I have a basic grasp on the new NAT config, but I have a few questions on it. I have searched, but am not getting exactly the answer to my situation. First, I have an internal host set up with a NAT statement, as below:
Inbound access to this host works prefectly to the static IP set up by the NAT statement. However, outbound access from this server is hitting the Dynamic/Auto NAT statement, and is being Natted to the general Outside interface IP Address. I want outbound traffic from this server to any destination IP on the Internet to be Natted to the IP Address in the Static statement above (188.8.131.52). What is the best way to accomplish this?
Second, can the 'test-srv' parameter defined in the 'object network test-srv' (from example above) be used in the ACLs, or do I also need to use the 'name 10.1.1.1 test-srv' command?
***Edit- adding a third question
For a l2l VPN, specifically the ACL portion of it... we are natting our traffic to the outside interface IP Address, using the ASA outside interface IP Address defined by the Auto NAT config. How should the crypto ACL read?
access-list l2l-vpn extended permit ip host <public Natted IP Address> <remote side host IP Address>
access-list l2l-vpn extended permit ip <internal subnets on our side> <remote side host IP Address>
I am used to defining the ACL by allowing the internal IPs/subnets that are traversing the tunnel, but I have a feeling that now, I have to specify the outside IP in the ACL.
Looking at the Auto-NAT section, #1, the server's inbound traffic is getting translated, but not the outbound (initiation) traffic.
3) Thanks, I've had a few discussions with colleagues that told me that the ACL should cover the IP Address post-Natting, which will be the public IP Address. I am familiar with the ACL reflecting the real (before NAT) IP.
In the brave new post 8.4 NAT world, the phase II object NAT rules are sorted by Cisco and the first Cisco match wins. Normally the static mappings are sorted ahead of the dynamic ones, so I'm puzzled by your test-srv behavior. If we could see more of the configuration we might be able to figure it out.
Your followup post clarifies it: your dynamic mappings were phase I (twice nat), which preceded phase II. Personally, I like phase II for my dynamic subnet mappings as well as for my individual host static mappings.
In any case, a workaround is to use a phase I "twice NAT" rule, e.g.
Depending on your topological complexity you may or may not need no-proxy-arp and/or route-lookup keywords; in my case I needed both.
All of your ACL's use the "real", on-link inside addresses, not the mapped outside addresses. In contemporary Cisco firmware, NAT mapping and unmapping happens very early, prior to ACL evaluation.
I'm not sure about 9.1 series firmware, but some folks have run into bugs related to re-using network objects in different contexts on some post 8.4 firmwares, so the paranoid among us are still defining multiple network object names with the same contents to be used separately for static NAT, dynamic NAT, and ACL purposes.
Thanks for the reply Jim! So now I am even more confused... not through any lack of explanation from you, rather only from my own ignorance on this topic. So I guess I have two follow-up questions, if you have time: 1) What is the difference between the phase 1 and phase 2 NAT sections? Phase 1 is titled as Manual NAT... wouldn't my object network statement: object network test-srv host 10.1.1.1 nat (inside,outside) static 184.108.40.206 Be a manual NAT statement?
2) You suggest that you prefer phase 2 for dynamic subnet mappings... how should we configure this? My understanding is that if the dynamic subnet mappings are phase 2, then would I add the 'after-auto' command to my 'nat (inside,outside) source dynamic any interface dns' command? Also, if both the dynamic subnet mappings as well as the individual host static mappings are both in phase 2, how do I change/set the order of NAT operation within this phase? I will always want individual host static mappings to happen before the dynamic subnet mapping. If you have any good reference for this portion of the NAT config, I'd appreciate it. Clearly I have more reading to do on this topic. Thanks again!
***EDIT*** Disregard my above questions, I found a good resource to explain it, and I get it now. I just changed my Auto NAT to come after-auto (Stage 3), and now I am getting the desired NAT behavior. Not sure if this is the cleanest way to do it...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :