Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

How to NAT by default with exceptions (ASA)

Hi Guys,

I have an ASA 5510 (OS 7.0.2) that seperates a remote access subnet from a ecommerce subnet.

What I want to implement is configuration that says, by default, NAT from the remote access subnet is not required however some specific addresses need to be NAT'd.

I am thinking of implementing the following confg but I'm not certain it will work and I do not have a test environment to test in:

! By default, traffic is NAT'd to 1.1.1.1

nat (remote_access_if) 1 0.0.0.0 0.0.0.0

global (ecommerce_subnet_if) 1 1.1.1.1

! Specified traffic not to NAT

access-list NAT_EXCEPTIONS extended permit ip and 10.1.1.0 255.255.255.0

access-list NAT_EXCEPTIONS extended permit ip and 10.1.2.0 255.255.255.0

! Do not NAT specified traffic

nat (remote_access_if) 2 access-list NAT_EXCEPTIONS

global (ecommerce_subnet_if) 2 0.0.0.0

My fear is this will NAT traffic I dont want NAT'd to 0.0.0.0.

Can anyone confirm if my config suitable to meet my objectives?

TIA

Rgds

Scott

7 REPLIES
Cisco Employee

Re: How to NAT by default with exceptions (ASA)

NAT exemption (NAT 0 with ACL) takes precedence over the dynamic NAT, hence you can't configure a generic ACL with the whole subnet to be exempted.

global (ecommerce_subnet_if)  2 0.0.0.0 ---> this is incorrect statement. You can't configure global with 0.0.0.0, and nat and global pair is actually configured to NAT the traffic.

If you can share the interface subnet of both remote and ecommerce as well as the security level configured for each interface, plus what ip you would like to NAT and to NAT it to what ip address, as well as what you do not want to NAT, then I can try to put something together if it is possible.

New Member

Re: How to NAT by default with exceptions (ASA)

Hi Halijen,

Thanks for your response. I figured I'd have to list all the exceptions under nat 0, but there are quite a few so I'm hoping there is another way to do this.

Here is the detail you requested:

interface Ethernet0/2.1
nameif REMOTE

security-level 10
subnet: 192.168.1.0/24

By default, traffic should not be NAT'd coming from this interface, however there are some key IPs that I need to NAT (eg. 192.168.24.0/24 NAT'd to 1.1.1.1 and 172.16.1.0/24 NAT'd to 1.1.1.2)

interface Ethernet0/3.2
nameif ECOMMERCE
security-level 20
subnet: 1.1.1.0/24

If you know of a workaround I would really appreciate you sharing it with me.

Thanks in advance

Rgds

Scott

Cisco Employee

Re: How to NAT by default with exceptions (ASA)

OK, so you would like to NAT from low security level to high security level. And traffic is between 1.1.1.0/24 to 192.168.24.0/24 and 172.16.1.0/24

To start with, I assume you already have the following configured:

access-list ecommerce-nonat permit ip 1.1.1.0 255.255.255.0 192.168.24.0 255.255.255.0

access-list ecommerce-nonat permit ip 1.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (ECOMMERCE) 0 access-list ecommerce-nonat

In regards to what you would like to achieve, then you would need to add the following:

access-list remote-pat-1 permit ip 192.168.24.0 255.255.255.0 1.1.1.0 255.255.255.0

access-list remote-pat-2 permit ip 172.16.1.0 255.255.255.0 1.1.1.0  255.255.255.0

nat (REMOTE) 5 access-list remote-pat-1 outside

global (ECOMMERCE) 5 1.1.1.1

nat (REMOTE) 6 access-list remote-pat-2 outside

global (ECOMMERCE) 6 1.1.1.2

Hope that makes sense.

New Member

Re: How to NAT by default with exceptions (ASA)

Hi Halijen,

I'm still a little confused. Perhaps you can answer another question for me that would help further my understanding.

Of the following 3 types of nat rules, what order does the ASA process them in? Ie. What has priority? Does a static rule take precedence over global rules?

Exception rule eg:

nat (if) 0 access-list list

global (if) 0 NAT_IP_address

Global Rules eg:

nat (if) # access-list list

global (if) # NAT_IP_address

Static Rules eg:

Static (if, NAT if) NAT_if source_IP netmask mask

I'm sure if I can better understand how the unit handles NAT I can ensure I'm asking and expecting the right questions/information.

Thanks in advance

Cheers

Scott

Re: How to NAT by default with exceptions (ASA)

Scott,

The exception rule that you added is incorrect.

You only need the NAT statement. There's no global 0 statement for identity NAT.

The STATIC NAT rules take precedence over the dynamic NAT rules.

Look at the order of NAT precedence on the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1079279

Hope to help.

Federico.

Cisco Employee

Re: How to NAT by default with exceptions (ASA)

Federico is correct.

Here is the order of operation:

1) NAT 0 with ACL - NAT exemption

2) Static NAT

3) Dynamic NAT - nat/global pair

The above is correct for source NAT (traffic from high to low security level).

For destination NAT (ie: NATing traffic from low to high security level), for dynamic NAT, you would need to add the "outside" keyword, plus you also need to have source NAT as per my example earlier.

New Member

Re: How to NAT by default with exceptions (ASA)

Thanks Gents. I will do some testing and let you know how I go

Rgds

Scott

527
Views
10
Helpful
7
Replies
CreatePlease to create content