Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Super Bronze

ASA Software 8.2 and ealier - "nat_id" parameter

Hi,

I'm in the process of migrating a rather big NAT configuration from a customer running pre 8.2 ASA software.

The customer has 2 Dynamic Policy NAT configured which have overlapping source addresses

Other Dynamic Policy NAT has the destination address of "any"

Other Dynamic Policy NAT has a single host address as destination address towards Internet

The Dynamic Policy NAT configured with the "any" destination is applied to all translations for the source host towards Internet

What I'm interested in is the following

Since both NAT statements are equal in a sense (because they are of same type) what is the next deciding factor for ASA decides which translation rule to use?

Does the "nat_id" parameter define which rule is checked first? Is the NAT rule with the lowest "nat_id" value used regardless what the order of the NAT rules is when you check them on the CLI? (with "show run global" and "show run nat")

I'm just interested on how the NAT operates in this case, even though were generally using 8.4 at the moment.

- Jouni

  • Firewalling
6 REPLIES

ASA Software 8.2 and ealier - "nat_id" parameter

Could you post the NAT configuration? Just make sure to leave out sensitive information.

The "nat_id" parameters basically makes NAT statements together.

For example

------------------

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 192.168.2.50 255.255.255.255

nat (inside) 3 10.10.10.0 255.255.255.0

global (outside) 1 100.10.20.3 netmask 255.255.255.255

global (outside) 3 100.10.20.17-100.10.20.30 netmask 255.255.255.140

The number after the (interface) parametrs is the "nat_id", which basically makes whatever is behind it to

the global command.

So in my email, 192.168.1.0/24 and 192.168.2.50/32 will be PATd to 100.10.20.3 when it goes on the outside interface.

10.10.10.0/24 network since it has a "nat_id" of 3 will be matched to the global statement with 3, so that means it will

be matched to a dynamic nat pool.

As far as which addresses it uses first, I'm not technical sure, but I would assume that it NATs whatever needs a translation first.

Super Bronze

ASA Software 8.2 and ealier - "nat_id" parameter

Hi,

The biggest differences to the NAT  configurations you posted compared to the ones I'm checking is that both  of mine were Policy NATs and had among their configurations the same  source IP address

The ones above have nothing overlapping.

I'll  try to add the partial configurations below as the actual object-groups  used in the Policy NAT statements are "a bit" large even though the actual configurations are pretty clear.

RULE1

global (OUTSIDE) 124 a.a.a.a

nat (INSIDE) 124 access-list RULE1

access-list RULE1 extended permit ip object-group RULE1-OBJ host x.x.x.x

object-group network RULE1-OBJ

network-object host 1.1.1.1

RULE2

global (OUTSIDE) 18 b.b.b.b

nat (INSIDE) 18 access-list RULE2

access-list RULE2 extended permit ip object-group RULE2-OBJ any

object-group network RULE2-OBJ

network-object host 1.1.1.1

So basicly RULE 1 defines that when the source device with IP 1.1.1.1 (for example) connects to host x.x.x.x on interface OUTSIDE it will be translated to IP address a.a.a.a

RULE 2 on the other hand tells that when the source device with IP 1.1.1.1 connects to any host on interface OUTSIDE it will be translated to IP address b.b.b.b

At the moment to my understanding all traffic towards OUTSIDE interface from host 1.1.1.1 is translated according to RULE 2.

To my eye this shouldnt rule out the use of RULE1 when destination address x.x.x.x is in question UNLESS RULE2s nat_id of 18 (as its the lowest value of the two - 18 vs. 124) is the deciding factor on which NAT rule to check first when connecting to host x.x.x.x

Because this would mean that RULE2 is always checked first because of its lower nad_id value and because its destination address is "any", any connection towards interface OUTSIDE will match to it and therefore RULE1 would never be used.

I guess also the fact that nat_id 0 configurations is the very first on the list of NAT configurations checked when connection is coming through ASA/PIX/FWSM supports my guess that the NAT ID with the lowest value is processed first.

Wonder if anyone can make out anything I just wrote above

- Jouni

ASA Software 8.2 and ealier - "nat_id" parameter

Yeah, thanks for the clarification. From reading offical cisco documentation, That "nat_id" number exists only to bind a NAT comamnd to a GLOBAL pool. I would think that if you have overlap in your source addresses the more specific match wins out.

So if RULE1 where it's destination is a single host /32 it will match that, and for anything else per your config it will match RULE2.

The command with NAT ID 5 is a more specific match, based on prefix length, than the

identity NAT rule. As such, NAT would be performed, using global poo l5 on the egress

interface. IT is important to remember that hte NAT ID number exists only to bind a

nat command to a global pool--it does not imply ordinality (that is, lower numbers

are not processed for a match priority to higher numbers). IT is not the NAT ID number that

determines which nat rule is applied to the traffic, but rather the prefix length to which the

nat command address matches the source address in the packets.

Hope that helped.

Super Bronze

Re: ASA Software 8.2 and ealier - "nat_id" parameter

Hi,

Is the bolded text in your previous post directly from Cisco document?

Does the ID 5 refer to some example?

Can you copy/paste the configuration in question to this discussion or link the document here?

- Jouni

EDIT:

From reading the bolded text a couple of times it almost feels like its referring to a different kind of situation regards to NAT configurations

Example

global (outside) 1 192.168.1.1

global (outside) 100 192.168.1.2

nat (inside) 1 10.10.10.1 255.255.255.255

nat (inside) 100 10.10.10.0 255.255.255.0

In the above situation when a connection from inside to outside arrives to the ASA from source address 10.10.10.1 its matched to NAT rule with ID 1 because its "nat" statement is more specific (specifying a single host source address)

I guess the result would be the same if the "nat" statement of ID 1 had the source address of 10.10.10.0/29 for example? The more specific source address rule wins regardless of NAT ID value.

Now when the source address is the same in both Policy NAT statements is the deciding factor the more specific destination address then?

Sadly I have no ability to test this in the old environment as the FW is in a FWSM as a context and "packet-tracer" command ain't supported there. And also there have been no active xlates from that source address when I have checked.

I guess I'll have to ask the customer to generate some traffic to confirm the operation of this NAT command

Re: ASA Software 8.2 and ealier - "nat_id" parameter

Yes it is and the Nat-id of 5 is from an example. I'm at lunch right now ill possum the link when I get back

499
Views
0
Helpful
6
Replies