I'm in the process of migrating a rather big NAT configuration from a customer running pre 8.2 ASA software.
The customer has 2 Dynamic Policy NAT configured which have overlapping source addresses
Other Dynamic Policy NAT has the destination address of "any"
Other Dynamic Policy NAT has a single host address as destination address towards Internet
The Dynamic Policy NAT configured with the "any" destination is applied to all translations for the source host towards Internet
What I'm interested in is the following
Since both NAT statements are equal in a sense (because they are of same type) what is the next deciding factor for ASA decides which translation rule to use?
Does the "nat_id" parameter define which rule is checked first? Is the NAT rule with the lowest "nat_id" value used regardless what the order of the NAT rules is when you check them on the CLI? (with "show run global" and "show run nat")
I'm just interested on how the NAT operates in this case, even though were generally using 8.4 at the moment.
The biggest differences to the NAT configurations you posted compared to the ones I'm checking is that both of mine were Policy NATs and had among their configurations the same source IP address
The ones above have nothing overlapping.
I'll try to add the partial configurations below as the actual object-groups used in the Policy NAT statements are "a bit" large even though the actual configurations are pretty clear.
global (OUTSIDE) 124 a.a.a.a
nat (INSIDE) 124 access-list RULE1
access-list RULE1 extended permit ip object-group RULE1-OBJ host x.x.x.x
object-group network RULE1-OBJ
network-object host 220.127.116.11
global (OUTSIDE) 18 b.b.b.b
nat (INSIDE) 18 access-list RULE2
access-list RULE2 extended permit ip object-group RULE2-OBJ any
object-group network RULE2-OBJ
network-object host 18.104.22.168
So basicly RULE 1 defines that when the source device with IP 22.214.171.124 (for example) connects to host x.x.x.x on interface OUTSIDE it will be translated to IP address a.a.a.a
RULE 2 on the other hand tells that when the source device with IP 126.96.36.199 connects to any host on interface OUTSIDE it will be translated to IP address b.b.b.b
At the moment to my understanding all traffic towards OUTSIDE interface from host 188.8.131.52 is translated according to RULE 2.
To my eye this shouldnt rule out the use of RULE1 when destination address x.x.x.x is in question UNLESS RULE2s nat_id of 18 (as its the lowest value of the two - 18 vs. 124) is the deciding factor on which NAT rule to check first when connecting to host x.x.x.x
Because this would mean that RULE2 is always checked first because of its lower nad_id value and because its destination address is "any", any connection towards interface OUTSIDE will match to it and therefore RULE1 would never be used.
I guess also the fact that nat_id 0 configurations is the very first on the list of NAT configurations checked when connection is coming through ASA/PIX/FWSM supports my guess that the NAT ID with the lowest value is processed first.
Wonder if anyone can make out anything I just wrote above
Yeah, thanks for the clarification. From reading offical cisco documentation, That "nat_id" number exists only to bind a NAT comamnd to a GLOBAL pool. I would think that if you have overlap in your source addresses the more specific match wins out.
So if RULE1 where it's destination is a single host /32 it will match that, and for anything else per your config it will match RULE2.
The command with NAT ID 5 is a more specific match, based on prefix length, than the
identity NAT rule. As such, NAT would be performed, using global poo l5 on the egress
interface. IT is important to remember that hte NAT ID number exists only to bind a
nat command to a global pool--it does not imply ordinality (that is, lower numbers
are not processed for a match priority to higher numbers). IT is not the NAT ID number that
determines which nat rule is applied to the traffic, but rather the prefix length to which the
nat command address matches the source address in the packets.
Re: ASA Software 8.2 and ealier - "nat_id" parameter
Is the bolded text in your previous post directly from Cisco document?
Does the ID 5 refer to some example?
Can you copy/paste the configuration in question to this discussion or link the document here?
From reading the bolded text a couple of times it almost feels like its referring to a different kind of situation regards to NAT configurations
global (outside) 1 192.168.1.1
global (outside) 100 192.168.1.2
nat (inside) 1 10.10.10.1 255.255.255.255
nat (inside) 100 10.10.10.0 255.255.255.0
In the above situation when a connection from inside to outside arrives to the ASA from source address 10.10.10.1 its matched to NAT rule with ID 1 because its "nat" statement is more specific (specifying a single host source address)
I guess the result would be the same if the "nat" statement of ID 1 had the source address of 10.10.10.0/29 for example? The more specific source address rule wins regardless of NAT ID value.
Now when the source address is the same in both Policy NAT statements is the deciding factor the more specific destination address then?
Sadly I have no ability to test this in the old environment as the FW is in a FWSM as a context and "packet-tracer" command ain't supported there. And also there have been no active xlates from that source address when I have checked.
I guess I'll have to ask the customer to generate some traffic to confirm the operation of this NAT command
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...