cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1419
Views
0
Helpful
2
Replies

ASA/PIX "NAT order of operation" ?

osdwo
Level 1
Level 1

Hello all,

We (my team) are dealing with NAT configuration everyday, on Cisco routers and firewalls.

The following document "NAT order of operation" is very useful, and we have been looking for a long time to the same document for ASA and PIX firewalls.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Do you know where I can find this information?

We are in particular looking for the order of these actions :

* NATting

* Encryption (VPN)

* routing

Thanks in advance for your help,

Jeremie

2 Replies 2

sadam.kherisat
Level 1
Level 1

Dear Jermie,

I think the order of the actions is as the below:

1. Encryption

2. Routing

3. NaT

The incoming traffic will be matched agains the VPN ACL first, if it matches then the packet will be in the vpn process.

if the packet does not match, the routing will be used to determine the destination address, the destination address will use to determine the ASA interface, then the NATing Rule will be applied ( all the nat configurations are connected with Interface name , inside,outside, DMZ).

Regards

sadam

Hi, you can use packet-tracer to help you see asa flow operation -

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1913020

for example this is the flow operation scenario for ipsec VPN [SOURCE inside

192.168.25.100 - L2LVPN - destination outside_172.16.1.70]

asafw#packet-tracer input inside tcp 192.168.25.100 3389 172.16.1.70 3389

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip 192.168.25.0 255.255.255.0 any

Additional Information:

Phase: 4

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip inside 192.168.25.0 255.255.255.0 outside 172.16.1.0 255.255.255.0

NAT exempt

translate_hits = 1, untranslate_hits = 7

Additional Information:

Phase: 9

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,outside) 63.xx.xx.xx SERVER_HOST netmask 255.255.255.255

match ip inside host SERVER_HOST outside any

static translation to 63.xx.xx.xx

translate_hits = 1065, untranslate_hits = 9768

Additional Information:

Phase: 10

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) 63.xx.xx.xx SERVER_HOST netmask 255.255.255.255

match ip inside host SERVER_HOST outside any

static translation to 63.xx.xx.xx

translate_hits = 1065, untranslate_hits = 9768

Additional Information:

Phase: 11

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 12

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 13

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 14

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 15

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 20084, packet dispatched to next module

end

asa5500fw#

As fo NAT order of operation this is the lookup process

1.nat 0 access-list (nat-exempt)

2.Match existing xlates

3.Match static commands

a.Static NAT with and without access-list

b.Static PAT with and without access-list

4.Match nat commands

a.nat [id] access-list (first match)

b.nat [id] [address] [mask] (best match)

i. If the ID is 0, create an identity xlate

ii.Use global pool for dynamic NAT

iii.Use global pool for dynamic PAT

B.Regards

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: