Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT help

I'm having an issue working with a PIX 7.0 that has lots of history. There is a ton of entries like below:

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

I'm trying to make one ip address on that subnet come out as the firewall external IP. I have the global (outside) 1 interface set up with the nat (inside) 1 192.168.1.5. This doesn't work unless I pull out the static entry for the entire subnet.

The main problem I'm having is for some reasos when I pull out the static that has the subnet. Without the static entry the subnet comes out with an address other than itself. What does the PIX do for an address that doesn't have a static or global entry set up?

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: NAT help

It would also need to be there if you had something like

global (outside) 1 x.x.x.x

nat (inside) 1 0.0.0.0 0.0.0.0

and you did not want 192.168.1.0 to be PAT'ed to x.x.x.x

Hope that makes sense, I don't know enough about your environment to know whether it is needed or not.

15 REPLIES
Green

Re: NAT help

Your problem is with nat order of operations. The static for the 192 subnet takes precedence over your regular nat for 192.168.1.5.

1. nat exemption

2. static nat

3. static pat

4. policy nat

5. regular nat

New Member

Re: NAT help

So why is it when I pull the static for the entire subnet they come out nat'd to something else?

Green

Re: NAT help

What is the address?

It is NATing somewhere, if it's not in the static, it could be 3-5 mentioned above. Find the address in your config and you will know where.

New Member

Re: NAT help

I guess a better question would be: why would you put in a static entry for an address to NAT the address it already has? Shouldn't it already do this without that entry?

Green

Re: NAT help

not sure I follow anymore

New Member

Re: NAT help

sorry...

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

What is the purpose of an entry like that? Shouldn't anything on the 192.168.1.0 come out with it's real address even without that entry?

Green

Re: NAT help

not if you have nat-control enabled

The nat-control command on the PIX specifies that all traffic through the firewall must have a specific translation entry (nat statement with a matching global, or a static statement) for that traffic to pass through the firewall.

New Member

Re: NAT help

none in the running config

Green

Re: NAT help

It would also need to be there if you had something like

global (outside) 1 x.x.x.x

nat (inside) 1 0.0.0.0 0.0.0.0

and you did not want 192.168.1.0 to be PAT'ed to x.x.x.x

Hope that makes sense, I don't know enough about your environment to know whether it is needed or not.

New Member

Re: NAT help

That's actually what the problem was I just found it 10 minutes ago. You've been a great help acomiskey thanks a ton :)

Green

Re: NAT help

no prob, please rate if it helped.

Re: NAT help

Hi guys,

I reopen this thread as it's close to my scenario.

I got a 7.2 IOS version ASA that has nat-control enabled and I have this config:

static (intranet,outside) 192.168.0.5 192.168.0.5 netmask 255.255.255.255

Here is the rest of the config, that might be important:

interface Ethernet0/2

nameif intranet

security-level 100

ip address 192.168.0.1 255.255.254.0

nat (intranet) 0 access-list no_nat_intranet

nat (intranet) 1 access-list nat_users

global (dmz) 1 80.B.C.D

access-list nat_users line 1 extended permit ip 192.168.0.0 255.255.255.128 any

And here I got the pin:

access-list no_nat_intranet line 1 extended permit ip 192.168.0.0 255.255.254.0 192.168.10.0 255.255.255.0 

access-list no_nat_intranet line 2 extended permit ip host 192.168.0.183 any 

access-list no_nat_intranet line 3 extended permit ip host 192.168.0.5 any 


What does this statement "states"? Can anyone kindly detail it?

And why is it necessary to exempt it again in NAT_Exempt statement?

Super Bronze

NAT help

Hi,

Well it seems you have 2 configurations for the host 192.168.0.5

The "static" configuration line is a Identity NAT that basically states that the address isnt translated when its accessing networks behind "outside" interface which doesnt make much sense since its private IP address. (Unless you have some other device doing NAT infront of the firewall)

The "nat (intranet) 0" and one of its ACLs line basically states that when the host 192.168.0.5 tries to connect to "any" host on any interface, it shouldnt be NATed.

The "static" line only applies between "intranet" and "outside" WHILE the "nat (intranet) 0" applies between "intranet" and "any"

So I would have to guess that the NAT0 rules reason for being there is to prevent NAT from being done to this host 192.168.0.5 no matter where it connects through this firewall.

- Jouni

NAT help

Thanks mate!

Basically this means, I can remove the static NAT statement, as it is covered by the nat 0 ACL.

Next, if I disable nat-control on the running config, firewall being used in production do you think it can cause any traffic disruption?

From what I read, it wouldn't make sense. Trouble might arise when enabling it (nat-control) if config lacks of some inside-to-outside nat statements. Am I right on this judgement?

Super Bronze

NAT help

Hi,

Would seem correct to me.

Though personally I have never really had the need to change the "nat-control" setting. Though usually when I am doing some change that I have uncertainty I lab it or do the change during hours where any possible problem wouldnt cause much issues for users.

Here is a link to a Cisco document about "nat-control" setting

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html#wp1082396

- Jouni

241
Views
5
Helpful
15
Replies
CreatePlease login to create content