Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

firewall interfaces & nat

Hi,

I have this query to understand when does the asa actually look into nat factor when traffic is traversing interfaces/security level.

Is it tied to the security level or interfaces or both?

For the discussion sake, i would just put up the below interfaces ;

int gig0/1 - nameif LAN - Security level 100

int gig0/2 - nameif OUTSIDE - Security level 0

int gig0/3 - nameif SERVERS - Security level 50

Appreciate all help in getting this.

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

firewall interfaces & nat

Hi,

Yes, pretty much as you describe.

The main problem between the 8.2 (and older) and 8.3 (and newer) software levels are the following things

  • Nat Control (nat-control) setting
  • General NAT operation

In the older software you had the "nat-control" which to my understanding on newer firewalls was defaulted to be OFF but might have been set ON by the user or it might have stayed in the configuration from older software levels after software updates because it was by default turned on with the older software versions to my understanding.

The "nat-control" setting to my understanding requires you to have NAT configuration for the networks/host between which the traffic flows. If the NAT Control was disabled then this was not required but to my understanding you still needed Static Identity NAT or NAT0 between your local interfaces to override your Dynamic NAT/PAT configurations for the local networks (traffic would match Dynamic rule even for traffic between local interfaces and fail without additional NAT configurations between interfaces)

For example look at the following situation with older software

global (wan) 1 interface

nat (lan) 1 10.10.10.0 255.255.255.0

nat (dmz) 1 192.168.10.0 255.255.255.0

In the above setup traffic from both "dmz" and "lan" usually would flow normally through to the "wan" interface but if you tried to connect from "lan" to "dmz" you would need perhaps Static Identity NAT and the configuration could look something like this

global (wan) 1 interface

nat (lan) 1 10.10.10.0 255.255.255.0

nat (dmz) 1 192.168.10.0 255.255.255.0

static (lan,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

or you could probably configure it the other way around

static (dmz,lan) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

Either of the above "static" commands should prevent the traffic between these interfaces from matching to the "nat" command for the initiating interface and therefore pass the traffic through the firewall without NAT.

Personally I started working with PIX/ASA/FWSM firewalls when I was just getting to know the 8.2 (and older) NAT configuration format and operation and then the 8.3 (and newer) versions were released and we started using them on multiple ASA platforms.

So I didn't really get to know all the aspects of the older NAT operation before I moved onto the new.

The main problem with the older software NAT and multiple local interfaces seems to be Dynamic NAT / PAT configurations. You usually tend to have this applied on each interface so if the traffic matched this old "nat" statement for Dynamic NAT/PAT the traffic might be dropped if you didnt have a "global" command for the destination interface (which I never would do as it likely causes more problems). And when you ran into this situation you usually resorted to Static Identity NAT or NAT0 to override the Dynamic NAT/PAT from happening to traffic between local interfaces (both of the before mentioned NAT types are higher priority than Dynamic NAT/PAT) behaviour.

In the new software the "nat-control" (on 8.3 and newer) is nore more and you simply configure NAT if you need to NAT.

The most basic ASA setup usually nowadays only requires Dynamic NAT/PAT towards your external interface and perhaps Static NAT/PAT for your servers, nothing more. If you implement VPN connections you will need NAT0 configurations to again bypass the Dynamic NAT/PAT operation. Its only when you are doing something a bit out of the ordinary that you really need NAT between local interfaces.

The above situation NAT configuration in new software could be narrowed down to the following in the new software without affecting behaviour

object-group network PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

nat (any,wan) after-auto source dynamic PAT-SOURCE interface

And that would be the whole configuration until you either added new interfaces or VPN to the firewall, or perhaps Static NAT/PAT for hosted servers.

I would suggest checking some of the Configuration Guides for explanation on NAT behaviour if you need more specific information

Naturally if you have some more questions you can ask and I will try to answer if I can.

The text might be jumping around a bit from subject to subject as I modified some parts during writing this.

Hope this helps

- Jouni

3 REPLIES
Super Bronze

firewall interfaces & nat

Hi,

What software were you running on the ASA?

On software level 8.3 (or newer) you dont usually have to configure any NAT between your local interfaces (LAN/SERVERS) if you dont specifically want to NAT the addresses between these devices.

On the software level 8.2 (or older) you might be required to configure Identity NAT or NAT0 between local interface for the traffic to pass.

- Jouni

New Member

firewall interfaces & nat

Thanks Jouni.

We are running 9.x , but the question is generic for understanding the functionality of asa.

So , it means on ver 9.x & above, asa doesn't nat between interfaces even if on different security levels , unless told specifically to NAT?

Super Bronze

firewall interfaces & nat

Hi,

Yes, pretty much as you describe.

The main problem between the 8.2 (and older) and 8.3 (and newer) software levels are the following things

  • Nat Control (nat-control) setting
  • General NAT operation

In the older software you had the "nat-control" which to my understanding on newer firewalls was defaulted to be OFF but might have been set ON by the user or it might have stayed in the configuration from older software levels after software updates because it was by default turned on with the older software versions to my understanding.

The "nat-control" setting to my understanding requires you to have NAT configuration for the networks/host between which the traffic flows. If the NAT Control was disabled then this was not required but to my understanding you still needed Static Identity NAT or NAT0 between your local interfaces to override your Dynamic NAT/PAT configurations for the local networks (traffic would match Dynamic rule even for traffic between local interfaces and fail without additional NAT configurations between interfaces)

For example look at the following situation with older software

global (wan) 1 interface

nat (lan) 1 10.10.10.0 255.255.255.0

nat (dmz) 1 192.168.10.0 255.255.255.0

In the above setup traffic from both "dmz" and "lan" usually would flow normally through to the "wan" interface but if you tried to connect from "lan" to "dmz" you would need perhaps Static Identity NAT and the configuration could look something like this

global (wan) 1 interface

nat (lan) 1 10.10.10.0 255.255.255.0

nat (dmz) 1 192.168.10.0 255.255.255.0

static (lan,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

or you could probably configure it the other way around

static (dmz,lan) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

Either of the above "static" commands should prevent the traffic between these interfaces from matching to the "nat" command for the initiating interface and therefore pass the traffic through the firewall without NAT.

Personally I started working with PIX/ASA/FWSM firewalls when I was just getting to know the 8.2 (and older) NAT configuration format and operation and then the 8.3 (and newer) versions were released and we started using them on multiple ASA platforms.

So I didn't really get to know all the aspects of the older NAT operation before I moved onto the new.

The main problem with the older software NAT and multiple local interfaces seems to be Dynamic NAT / PAT configurations. You usually tend to have this applied on each interface so if the traffic matched this old "nat" statement for Dynamic NAT/PAT the traffic might be dropped if you didnt have a "global" command for the destination interface (which I never would do as it likely causes more problems). And when you ran into this situation you usually resorted to Static Identity NAT or NAT0 to override the Dynamic NAT/PAT from happening to traffic between local interfaces (both of the before mentioned NAT types are higher priority than Dynamic NAT/PAT) behaviour.

In the new software the "nat-control" (on 8.3 and newer) is nore more and you simply configure NAT if you need to NAT.

The most basic ASA setup usually nowadays only requires Dynamic NAT/PAT towards your external interface and perhaps Static NAT/PAT for your servers, nothing more. If you implement VPN connections you will need NAT0 configurations to again bypass the Dynamic NAT/PAT operation. Its only when you are doing something a bit out of the ordinary that you really need NAT between local interfaces.

The above situation NAT configuration in new software could be narrowed down to the following in the new software without affecting behaviour

object-group network PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

nat (any,wan) after-auto source dynamic PAT-SOURCE interface

And that would be the whole configuration until you either added new interfaces or VPN to the firewall, or perhaps Static NAT/PAT for hosted servers.

I would suggest checking some of the Configuration Guides for explanation on NAT behaviour if you need more specific information

Naturally if you have some more questions you can ask and I will try to answer if I can.

The text might be jumping around a bit from subject to subject as I modified some parts during writing this.

Hope this helps

- Jouni

111
Views
5
Helpful
3
Replies
CreatePlease to create content