cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
278
Views
4
Helpful
4
Replies

ASA nat

sqambera
Level 1
Level 1

Hello,

I am new to ASA configuration. The question I have is that:

1. The auto nat that we configure under "object network", does it mean that traffic sourced from only subnet/host that match that network object under which nat is configured will be translated?

To further elaborate my question, please see following running-config example of ASA:

object network 10.0.0.0_8

 subnet 10.0.0.0 255.0.0.0

object network 10.0.0.0_8

 nat (Inside,Outside) dynamic interface

So, does it mean that only 10.0.0.0 subnet will be translated to Outside interface?

 

2. If answer to above question is Yes, then what happens to the traffic that is sourced from any subnet other than 10.0.0.0 and traversing from inside to outside? Does it leave ASA without translation?

 

3. I have noticed that any traffic that is destined towards a particular subnet and is not required to be translated, we configure manual nat for it. In this case we translate the source network object into itself. My question is why is the need for it, since that source already does not match any auto nat statement under "object network" definition, it should anyway leave ASA without translation. Means what we are trying to achieve through manual nat should happen automatically as the source subnet doesn't match any auto nat statement.

Thanks in advance for your help in answering these questions.

 

1 Accepted Solution

Accepted Solutions

No, you don't need nat-exemption if there is no matching nat-rule for the traffic. But if you run VPNs, I would configure it for all internal networks. Sooner or later you'll add NAT for other networks and then you can't break your VPN.

View solution in original post

4 Replies 4

The behavior changes more then one time with the PIX/ASA-releases. With any recent version it works the following way:

1) Yes, if this is the only NAT statement, then only the network 10/8 will be translated when communicating from inside to outside.

2) Yes, if there is no NAT rule, then the traffic will just be routed.

3) What you describe is NAT exemption and is often needed. On the old ASAs versions <8.3 it was needed very often because NAT was defined per interface an not per interface pair. 

On actual ASA version you still need it for VPNs. If a VPN user communicates with the 10/8 network it matches the above rule and the VPN-communication will fail. For that you will add a NAT exemption rule to the first manual NAT section to make sure that this VPN-treaffic will "not be translated".

Thanks Karsten. 

Regarding third answer, what if VPN communication is other than 10/8? Do we still need NAT exemption rule? I have seen in configurations that a manual nat rule for exemption is formed for traffic source even if there has not been any nat defined for it already.

No, you don't need nat-exemption if there is no matching nat-rule for the traffic. But if you run VPNs, I would configure it for all internal networks. Sooner or later you'll add NAT for other networks and then you can't break your VPN.

Thanks Karsten.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: