We have a large network with a bunch of partners in an MPLS cloud. All networks are behind an ASA. We use nat (inside) 0 0.0.0.0 0.0.0.0 because we perform nat translation at another point on the network.
This particular subnet has a new ranges behind it, lets say 10.62.0.0/16. They access another network across the MPLS with the subnets 10.32.0.0/16. For some reason, and what seems to be random, the ASA creates a translation for the IP being accessed at the remote site. This drops connectivity. Once I clear the translation, every thing starts to work. I can't figure out why its creating it in the first place though.
FW01# show xlate | i 10.32
Global 10.32.0.244 Local 10.32.0.244
I think possible solutions are an inbound ACL blocking all traffic that isn't sourced from 10.62.0.0 or creating a NAT acl to grab 10.62.0.0 and use nat-control.
This may fix my issue but I want to learn why this is happening in the first place.
If I am not mistaken, Nat 0 without access list does generates an Xlate on the ASA firewall. If you dont want to nat the traffic at any point, you can just delete all the nat 0 that you have and just put the command no nat-control. That will cause the traffic to pass freely across the ASA without the need of a translation.
Hope it helps.
Thanks for the response. Yes, nat 0 does creat an xlate on the ASA but why is an xlate being created for that ip ( 10.32.0.244 ) when it resides on the outside network. It's creating a translation as if its on the inside. The xlate doesn't show up for days (while the service is being used) then all of a sudden, and what seems like out of no where, the translation is created and all traffic is blocked until we clear that translation.
We use nat (inside) 0 0.0.0.0 0.0.0.0
With the above command, you are basically no-nat'ng everything. So you are creating a translation to yourself.
I believe the ASA is still performing NAT, it's just NATng it to itself.
So for instance if you had the following command.
nat (inside) 0 10.10.10.0 255.255.255.0
And you did a 'show xlate'
You would see a
Global 10.10.10.0 Local 10.10.10.0.
Could be a routing issue and a packet that gets routed on the inside rather than the outside... That is the only explanation that I see for a translation to be build. In any case, you can avoid that by just removing the nat entries and disabling nat control... If at some point you have communication issues, you can discard the nat to be part of the problem.
Hmm, so if I don't need any nat, I can just leave out any nat commands?
I think the answer is to apply a nat acl but I'm just trying to figure out why its happening in the first place. I don't think its a routing issue because there is only one enter and exit point and the inside network is pretty simple.
Can you help me understand why the translation isn't there for days on end and one day it shows up and stops traffic flow? Traffic doesn't flow unless I remove it from the xlate table.
Can you help me understand why the translation isn't there for days on end and one day it shows up and stops traffic flow?
Well if I understand correctly, you are NAT'ng everything to itself. So the ASA basically shoots whatever IP it gets out
of the ASA. Now, I would think, the only way for a NAT translation to exist in the first place, is because traffic is coming
into the ASA to be NAT'd.
But I'm honestly not sure why it would not show up for several days and then all of a sudden it's there.
Yeah something funky going on.
I expect the ASA to only create a translation if data passes through it sourced from that subnet.
I guess I will just have to lockdown the nat as see if the problem stops occuring.