Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Twice NAT configration does not make sense

I am reading my CCNP Firewall guide and attempting the understand twice NAT. It described a scenario where twice NAT is used to resolve the condition of overlapping IP ranges as follows:

setup.png

For the most part I understand the setup. The ASA is "tricking" the network on the left that the network on the right is 192.168.10.0/24 and conversely it is tricking the network on the right that the network on the left is 192.168.20.0/24.

However the matching criteria seems to be that if something is from 10.0.0.0/24 going TO 10.0.0.0/24 then translate the source and destination:

Add NAT Rule.png

INSIDE-SEGMENT and PARTNER-VPN-SEGMENT are the same. So in essence NAT will only take place if a packet is coming in on the inside interface (from 10.0.0.0/24) and going out on the outside interface (to 10.0.0.0/24). But in my mind this makes no sense - nothing would match that criteria. If a local host needs to go to something on its local network it will clearly not send it to its default gateway (the firewall). it will use ARP and L2 to get to the destination. Clearly the host in the original diagram above is going to be sending a packet to the 192.168.20.0/24 network. But there are no criteria for that source/destination combo...

I hope this makes sense. Please help if you can. Thanks in advance.

The CLI code (from the book) is as follows:

object network PARTNER-VPN-NAT-INBOUND

subnet 192.168.20.0 255.255.255.0

!

object network PARTNER-VPN-NAT-OUTBOUND

subnet 192.168.10.0 255.255.255.0

!

object network PARTNER-VPN-SEGMENT

subnet 10.0.0.0 255.255.255.0

!

nat (inside,outside) 3 source static INSIDE-SEGMENT PARTNER-VPN-NAT-OUTBOUND

destination static PARTNER-VPN-SEGMENT PARTNER-VPN-NAT-INBOUND

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Twice NAT configration does not make sense

Hi,

Is the above CLI format configuration truly from the CCNP book? I have not yet read that myself but if it is then its wrong.

The "destination" parameters, in other words the "object" are the wrong way around.

The general format of the "nat" command for Manual NAT is

nat (sourceint,destint) source static destination static

So in the example situation the overlapped networks would be handled on a single device though usually I prefer to have the remote site do a NAT for their side so that I wont have to resort to these NAT configurations I consider a bit special.

So in your example the configuration should be

nat (inside,outside) 3 source static INSIDE-SEGMENT PARTNER-VPN-NAT-OUTBOUND

destination static  PARTNER-VPN-NAT-INBOUND PARTNER-VPN-SEGMENT

The traffic flow from the local internal network would go like this

  • local 10.0.0.x to remote 192.168.20.x
  • remote 192.168.20.x UN-NAT to remote 10.0.0.x
  • local 10.0.0.x NAT to local 192.168.10.x
  • Packet matches Crypto ACL (source 192.168.10.x destination 10.0.0.x) and traffic sent to VPN or the VPN negotiaton starts and traffic forwarded to VPN

Hope this helps

- Jouni

5 REPLIES
Super Bronze

Twice NAT configration does not make sense

Hi,

Is the above CLI format configuration truly from the CCNP book? I have not yet read that myself but if it is then its wrong.

The "destination" parameters, in other words the "object" are the wrong way around.

The general format of the "nat" command for Manual NAT is

nat (sourceint,destint) source static destination static

So in the example situation the overlapped networks would be handled on a single device though usually I prefer to have the remote site do a NAT for their side so that I wont have to resort to these NAT configurations I consider a bit special.

So in your example the configuration should be

nat (inside,outside) 3 source static INSIDE-SEGMENT PARTNER-VPN-NAT-OUTBOUND

destination static  PARTNER-VPN-NAT-INBOUND PARTNER-VPN-SEGMENT

The traffic flow from the local internal network would go like this

  • local 10.0.0.x to remote 192.168.20.x
  • remote 192.168.20.x UN-NAT to remote 10.0.0.x
  • local 10.0.0.x NAT to local 192.168.10.x
  • Packet matches Crypto ACL (source 192.168.10.x destination 10.0.0.x) and traffic sent to VPN or the VPN negotiaton starts and traffic forwarded to VPN

Hope this helps

- Jouni

Super Bronze

Re: Twice NAT configration does not make sense

Hi,

By the way, isnt the configuration on the ASDM screen capture in the right order?

I don't personally use ASDM for configurations. Pretty much only to check logs and perhaps do some VPN related configurations changes.

EDIT: Think I'll check ASDM on my own ASA just to be sure.

- Jouni

Super Bronze

Re: Twice NAT configration does not make sense

Nevermind,

I missunderstood the ASDM screencapture. Its wrong also, same as the CLI

- Jouni

New Member

Re: Twice NAT configration does not make sense

It is taken from Pages 370 to 373 of CCNP Security FIREWALL 642-618 Official Cert Guide. Everything is either a screenshot or copy/paste.

I agree with your answer. It makes much more sense in my head. A host on the local LAN with be sending TO 192.168.20.0/24 and that is what the criteria should be matching.

Thanks for your help.

I will flag it in the my notes and make sure I test it in GNS3 once I finish the chapter.

Super Bronze

Re: Twice NAT configration does not make sense

Hi,

I think they usually release the correct information for the printed Certifications books.

Seems that the correction to your above problem is included in the file found below

http://www.ciscopress.com/store/ccnp-security-firewall-642-618-official-cert-guide-9781587142710

Check the tab  "Updates" where you should be able to download the list of information that was wrong in the book and the correct informatio.

Hope this helps

- Jouni

416
Views
0
Helpful
5
Replies
CreatePlease to create content