07-28-2009 11:49 PM - edited 03-11-2019 09:00 AM
Hello all,
We (my team) are dealing with NAT configuration everyday, on Cisco routers and firewalls.
The following document "NAT order of operation" is very useful, and we have been looking for a long time to the same document for ASA and PIX firewalls.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
Do you know where I can find this information?
We are in particular looking for the order of these actions :
* NATting
* Encryption (VPN)
* routing
Thanks in advance for your help,
Jeremie
07-29-2009 03:32 AM
Dear Jermie,
I think the order of the actions is as the below:
1. Encryption
2. Routing
3. NaT
The incoming traffic will be matched agains the VPN ACL first, if it matches then the packet will be in the vpn process.
if the packet does not match, the routing will be used to determine the destination address, the destination address will use to determine the ASA interface, then the NATing Rule will be applied ( all the nat configurations are connected with Interface name , inside,outside, DMZ).
Regards
sadam
07-29-2009 09:23 AM
Hi, you can use packet-tracer to help you see asa flow operation -
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1913020
for example this is the flow operation scenario for ipsec VPN [SOURCE inside
192.168.25.100 - L2LVPN - destination outside_172.16.1.70]
asafw#packet-tracer input inside tcp 192.168.25.100 3389 172.16.1.70 3389
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip 192.168.25.0 255.255.255.0 any
Additional Information:
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.25.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
NAT exempt
translate_hits = 1, untranslate_hits = 7
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) 63.xx.xx.xx SERVER_HOST netmask 255.255.255.255
match ip inside host SERVER_HOST outside any
static translation to 63.xx.xx.xx
translate_hits = 1065, untranslate_hits = 9768
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 63.xx.xx.xx SERVER_HOST netmask 255.255.255.255
match ip inside host SERVER_HOST outside any
static translation to 63.xx.xx.xx
translate_hits = 1065, untranslate_hits = 9768
Additional Information:
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 15
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 20084, packet dispatched to next module
end
asa5500fw#
As fo NAT order of operation this is the lookup process
1.nat 0 access-list (nat-exempt)
2.Match existing xlates
3.Match static commands
a.Static NAT with and without access-list
b.Static PAT with and without access-list
4.Match nat commands
a.nat [id] access-list (first match)
b.nat [id] [address] [mask] (best match)
i. If the ID is 0, create an identity xlate
ii.Use global pool for dynamic NAT
iii.Use global pool for dynamic PAT
B.Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: