Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
0
Helpful
9
Replies

Reg. NAT Query in ASA

Go to solution
ankurs2008
Level 1
Level 1

‎07-29-2010 03:03 AM - edited ‎03-11-2019 11:17 AM 

hi halijenn / experts,

I want to configure NAT for the Network 192.168.16.0/24 to destination 192.168.41.2/32 which must be translated to  2.2.2.2.Also few of the servers 
addresses on 192.168.16.0/24 must be translated to different NAT addresses to all other destination (except 192.168.41.2).For example, 
192.168.16.2 must be translated to 2.2.2.4 while going to any destination (except 192.168.41.2)

Please let me know if the below is correct 

access-list ACLPOLICY extended permit ip 192.168.16.0 255.255.255.0 host 192.168.41.2

nat (INSIDE) 1 access-list ACLPOLICY

nat (INSIDE) 2 192.168.16.2 255.255.255.255 

global (OUTSIDE) 1 2.2.2.2

global (OUTSIDE) 2 2.2.2.4

The issue is that according to NAT Order of operations NAT 0 with ACL comes first , followed by existing xlates and so on .Hence when the user will 
initiate the connection from 192.168.16.2 to www.google.com , the translation entry will be created for the 192.168.16.2 with the global 2.2.2.4 ; however
if at the same time the user will try to access destination 192.168.41.2 , will the firewall take the existing translation or it will consider 2.2.2.2 for NATTING
In my case the packet doesnot consider the existing xlates and doesnot takes the correct NAT.Plz let me know if any other solution exists to accomplish 
the same.

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-29-2010 05:19 AM

Hello,

Your configuration looks good. When the traffic hits the firewall, the NAT with the ACL is evaluated before other NAT rules. So, in your case, if the traffic is going to 192.168.42.x, then the first NAT rule will be applied. Also, the other thing to notice is that, while the firewall looks into the XLATE table to see if there is any current XLATE, it is bound by the access-list rules. So, with the configuration you have, you should be able to acheive the goal.

Hope this helps.

Regards,

NT

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to ankurs2008

‎07-29-2010 05:23 AM

Actually, just thinking further on NAT, if you are going to a different destination, that will not be considered as the same translation/existing translation. A translation line will only be from the same source towards the same destination with multiple connections (eg: http, https, ftp, etc) on 1 translation line.

Hence, from your example, if it's not going towards destination of 192.168.41.2 then it will check the next NAT statement inline, and should match your "nat (inside) 2 192.168.16.2"

NT is correct, configuration is OK for what you are trying to achive as long as it is exactly how it is configured in your firewall (ie: the order of the NAT statements on the actual firewall).

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to ankurs2008

‎08-02-2010 08:52 AM

You should have 2 lines of xlate entries, one for each global address it's PATed to.

You can check more details from "show xlate detail" output.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-29-2010 04:17 AM

hi Ankur,

You are right. NAT 0 with ACL takes precedence over all other NAT statements, hence, NAT 0 with ACL is normally configured very specific on the ACL. If the ACL does not match the NAT 0 statement, then it will check for static NAT, then the normal identity NAT statements.

In your scenario, if there is an existing translation for 192.168.16.2 to 2.2.2.4, then every other connections will be using 2.2.2.4 until you actually do a "clear xlate" for that particular host 192.168.16.2. Once you clear the translation for that host, if the host is trying to access 192.168.41.2 host, it will be PATed to 2.2.2.2.

Bear in mind that the NAT statements configured on your firewall is exactly in the other as your sample configuration posted. With identity NAT, it process the list from top to bottom, so if it matches specific NAT statement on the top, then it will stop going through the list. It does not try to match a more specific NAT statement.

Hope that helps.

0 Helpful

Go to solution
ankurs2008
Level 1
Level 1
In response to Jennifer Halim

‎07-29-2010 05:05 AM

Hi halijenn

Thanks for the reply !

Is there any alternative solution for my query and that too without doing "clear xlate " everytime.

Also as according to your below statement " With identity NAT, it process the list from top to bottom, so if it matches specific NAT statement on the top, then it will stop going through the list. It does not try to match a more specific NAT statement"  , does this mean that the above is not possible even with the identity NAT ?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to ankurs2008

‎07-29-2010 05:23 AM

Actually, just thinking further on NAT, if you are going to a different destination, that will not be considered as the same translation/existing translation. A translation line will only be from the same source towards the same destination with multiple connections (eg: http, https, ftp, etc) on 1 translation line.

Hence, from your example, if it's not going towards destination of 192.168.41.2 then it will check the next NAT statement inline, and should match your "nat (inside) 2 192.168.16.2"

NT is correct, configuration is OK for what you are trying to achive as long as it is exactly how it is configured in your firewall (ie: the order of the NAT statements on the actual firewall).

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-29-2010 05:19 AM

Hello,

Your configuration looks good. When the traffic hits the firewall, the NAT with the ACL is evaluated before other NAT rules. So, in your case, if the traffic is going to 192.168.42.x, then the first NAT rule will be applied. Also, the other thing to notice is that, while the firewall looks into the XLATE table to see if there is any current XLATE, it is bound by the access-list rules. So, with the configuration you have, you should be able to acheive the goal.

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
ankurs2008
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-29-2010 05:53 AM

Hi halijenn / NT

Thanks a ton !

Halijenn , please explain me a little more on below statement

A translation line will only be from the same source towards the same destination with multiple connections (eg: http, https, ftp, etc) on 1 translation line.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to ankurs2008

‎07-29-2010 06:58 AM

What I mean is 1 xlate entry (translation entry) might consists of multiple connections if the source and destination is the same.

You can also configure policy NAT for specific application, eg: if a source is going to a specific destination on telnet port, PAT it to 1.1.1.1, and if the same source is going to the same destination on http port, PAT it to 1.1.1.2. So basically, you can configure the policy NAT with just source and destination in the ACL, or more granular policy with destination port as well.

Here is the document for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1088419

Hope that makes sense.

0 Helpful

Go to solution
ankurs2008
Level 1
Level 1
In response to Jennifer Halim

‎08-02-2010 03:37 AM

Hi halijenn

thanks for the reply . I understood it ; however i have a query regarding the output of "sh xlate " in the firewall . Will i be able to see only one "local" to global " mapping for 192.168.16.2 as per the below scenario ? ie what will be the output of "sh xlate " when i try to access internet and IP 192.168.41.2 both at the same time with the source IP 192.168.16.2 .

access-list ACLPOLICY extended permit ip 192.168.16.0 255.255.255.0 host 192.168.41.2

nat (INSIDE) 1 access-list ACLPOLICY

nat (INSIDE) 2 192.168.16.2 255.255.255.255

global (OUTSIDE) 1 2.2.2.2

global (OUTSIDE) 2 2.2.2.4

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to ankurs2008

‎08-02-2010 08:52 AM

You should have 2 lines of xlate entries, one for each global address it's PATed to.

You can check more details from "show xlate detail" output.

0 Helpful

Go to solution
ankurs2008
Level 1
Level 1
In response to Jennifer Halim

‎08-03-2010 02:26 AM

hi halijenn

thanks a lot ! i believe we can see the same via "show nat " command as well .

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card