05-19-2010 08:35 PM - edited 03-11-2019 10:48 AM
Hi Guys,
I have an ASA 5510 (OS 7.0.2) that seperates a remote access subnet from a ecommerce subnet.
What I want to implement is configuration that says, by default, NAT from the remote access subnet is not required however some specific addresses need to be NAT'd.
I am thinking of implementing the following confg but I'm not certain it will work and I do not have a test environment to test in:
! By default, traffic is NAT'd to 1.1.1.1
nat (remote_access_if) 1 0.0.0.0 0.0.0.0
global (ecommerce_subnet_if) 1 1.1.1.1
! Specified traffic not to NAT
access-list NAT_EXCEPTIONS extended permit ip and 10.1.1.0 255.255.255.0
access-list NAT_EXCEPTIONS extended permit ip and 10.1.2.0 255.255.255.0
! Do not NAT specified traffic
nat (remote_access_if) 2 access-list NAT_EXCEPTIONS
global (ecommerce_subnet_if) 2 0.0.0.0
My fear is this will NAT traffic I dont want NAT'd to 0.0.0.0.
Can anyone confirm if my config suitable to meet my objectives?
TIA
Rgds
Scott
05-20-2010 01:14 AM
NAT exemption (NAT 0 with ACL) takes precedence over the dynamic NAT, hence you can't configure a generic ACL with the whole subnet to be exempted.
global (ecommerce_subnet_if) 2 0.0.0.0 ---> this is incorrect statement. You can't configure global with 0.0.0.0, and nat and global pair is actually configured to NAT the traffic.
If you can share the interface subnet of both remote and ecommerce as well as the security level configured for each interface, plus what ip you would like to NAT and to NAT it to what ip address, as well as what you do not want to NAT, then I can try to put something together if it is possible.
05-20-2010 03:54 PM
Hi Halijen,
Thanks for your response. I figured I'd have to list all the exceptions under nat 0, but there are quite a few so I'm hoping there is another way to do this.
Here is the detail you requested:
interface Ethernet0/2.1
nameif REMOTE
security-level 10
subnet: 192.168.1.0/24
By default, traffic should not be NAT'd coming from this interface, however there are some key IPs that I need to NAT (eg. 192.168.24.0/24 NAT'd to 1.1.1.1 and 172.16.1.0/24 NAT'd to 1.1.1.2)
interface Ethernet0/3.2
nameif ECOMMERCE
security-level 20
subnet: 1.1.1.0/24
If you know of a workaround I would really appreciate you sharing it with me.
Thanks in advance
Rgds
Scott
05-21-2010 07:02 PM
OK, so you would like to NAT from low security level to high security level. And traffic is between 1.1.1.0/24 to 192.168.24.0/24 and 172.16.1.0/24
To start with, I assume you already have the following configured:
access-list ecommerce-nonat permit ip 1.1.1.0 255.255.255.0 192.168.24.0 255.255.255.0
access-list ecommerce-nonat permit ip 1.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (ECOMMERCE) 0 access-list ecommerce-nonat
In regards to what you would like to achieve, then you would need to add the following:
access-list remote-pat-1 permit ip 192.168.24.0 255.255.255.0 1.1.1.0 255.255.255.0
access-list remote-pat-2 permit ip 172.16.1.0 255.255.255.0 1.1.1.0 255.255.255.0
nat (REMOTE) 5 access-list remote-pat-1 outside
global (ECOMMERCE) 5 1.1.1.1
nat (REMOTE) 6 access-list remote-pat-2 outside
global (ECOMMERCE) 6 1.1.1.2
Hope that makes sense.
05-25-2010 10:09 PM
Hi Halijen,
I'm still a little confused. Perhaps you can answer another question for me that would help further my understanding.
Of the following 3 types of nat rules, what order does the ASA process them in? Ie. What has priority? Does a static rule take precedence over global rules?
Exception rule eg:
nat (if) 0 access-list list
global (if) 0 NAT_IP_address
Global Rules eg:
nat (if) # access-list list
global (if) # NAT_IP_address
Static Rules eg:
Static (if, NAT if) NAT_if source_IP netmask mask
I'm sure if I can better understand how the unit handles NAT I can ensure I'm asking and expecting the right questions/information.
Thanks in advance
Cheers
Scott
05-25-2010 10:26 PM
Scott,
The exception rule that you added is incorrect.
You only need the NAT statement. There's no global 0 statement for identity NAT.
The STATIC NAT rules take precedence over the dynamic NAT rules.
Look at the order of NAT precedence on the ASA:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1079279
Hope to help.
Federico.
05-26-2010 02:52 AM
Federico is correct.
Here is the order of operation:
1) NAT 0 with ACL - NAT exemption
2) Static NAT
3) Dynamic NAT - nat/global pair
The above is correct for source NAT (traffic from high to low security level).
For destination NAT (ie: NATing traffic from low to high security level), for dynamic NAT, you would need to add the "outside" keyword, plus you also need to have source NAT as per my example earlier.
05-26-2010 07:45 PM
Thanks Gents. I will do some testing and let you know how I go
Rgds
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide