Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA nat

Hello,

I am new to ASA configuration. The question I have is that:

1. The auto nat that we configure under "object network", does it mean that traffic sourced from only subnet/host that match that network object under which nat is configured will be translated?

To further elaborate my question, please see following running-config example of ASA:

object network 10.0.0.0_8

 subnet 10.0.0.0 255.0.0.0

object network 10.0.0.0_8

 nat (Inside,Outside) dynamic interface

So, does it mean that only 10.0.0.0 subnet will be translated to Outside interface?

 

2. If answer to above question is Yes, then what happens to the traffic that is sourced from any subnet other than 10.0.0.0 and traversing from inside to outside? Does it leave ASA without translation?

 

3. I have noticed that any traffic that is destined towards a particular subnet and is not required to be translated, we configure manual nat for it. In this case we translate the source network object into itself. My question is why is the need for it, since that source already does not match any auto nat statement under "object network" definition, it should anyway leave ASA without translation. Means what we are trying to achieve through manual nat should happen automatically as the source subnet doesn't match any auto nat statement.

Thanks in advance for your help in answering these questions.

 

  • Firewalling
Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

No, you don't need nat

No, you don't need nat-exemption if there is no matching nat-rule for the traffic. But if you run VPNs, I would configure it for all internal networks. Sooner or later you'll add NAT for other networks and then you can't break your VPN.

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
4 REPLIES
VIP Purple

The behavior changes more

The behavior changes more then one time with the PIX/ASA-releases. With any recent version it works the following way:

1) Yes, if this is the only NAT statement, then only the network 10/8 will be translated when communicating from inside to outside.

2) Yes, if there is no NAT rule, then the traffic will just be routed.

3) What you describe is NAT exemption and is often needed. On the old ASAs versions <8.3 it was needed very often because NAT was defined per interface an not per interface pair. 

On actual ASA version you still need it for VPNs. If a VPN user communicates with the 10/8 network it matches the above rule and the VPN-communication will fail. For that you will add a NAT exemption rule to the first manual NAT section to make sure that this VPN-treaffic will "not be translated".

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Thanks Karsten. Regarding

Thanks Karsten. 

Regarding third answer, what if VPN communication is other than 10/8? Do we still need NAT exemption rule? I have seen in configurations that a manual nat rule for exemption is formed for traffic source even if there has not been any nat defined for it already.

VIP Purple

No, you don't need nat

No, you don't need nat-exemption if there is no matching nat-rule for the traffic. But if you run VPNs, I would configure it for all internal networks. Sooner or later you'll add NAT for other networks and then you can't break your VPN.

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Thanks Karsten.

Thanks Karsten.

40
Views
4
Helpful
4
Replies
This widget could not be displayed.