Understanding NAT and NAT Rule Order (ASA 8.3+)

Posted on by Junior Taitt

 

Understanding NAT and NAT Rule Order (ASA 8.3/8.4

First of all, there is no such thing as ‘nat-control’ any more so you either define a NAT or you don’t. Traffic that does not match any NAT rules will be allowed to bypass the firewall without any translation (like NAT exemption but without explicitly configuring it, more like an implicit NAT exemption). The  static and global keywords are deprecated, now its all about ‘nat’.

In ASA 8.3 and above, Cisco has come up with two ‘major’ categories/sections of NAT; Manual NAT and Auto NAT. In Cisco’s documentation they have used the terms Twice NAT and Network Object NAT respectively, but in the show command’s output NAT rules are classified under Manual and Auto.

Manual NAT (Twice NAT):

It is done in the global configuration mode and can NAT based on either the source IP, the destination IP or both. This is the most preferred Section of NAT. Cisco refers this as Twice NAT in their documentation (being called as Twice NAT does not necessarily mean having the properties of Twice NAT). The NAT rules belonging to this Section are found in the Section 1 of the NAT rule table. Any type of NAT rule configured using the Manual NAT/Twice NAT syntax will be preferred over a NAT rule configured using the Auto NAT/Network Object NAT syntax, provided it is for the same source host/subnet.

Example of a Manual NAT command syntax:

asa(config)# object network private_ip
asa(config-network-object)# host 10.1.1.5
asa(config-network-object)# object network public_ip
asa(config-network-object)# host 1.1.1.5
asa(config-network-object)# exit
asa(config)# nat (dmz,outside) source static private_ip public_ip

Auto NAT (Network Object NAT):

This is done inside an object and performs NAT based on the source IP only. Cisco calls this as Network Object NAT in their documentation. This is the second preferred Section of NAT. These NATs are found in the Section 2 of the NAT rule table. Any type of NAT rule configured using the Auto NAT/Network Object NAT syntax will be less preferred over a NAT rule configured using the Manual NAT/Twice NAT syntax, provided it is for the same source host/subnet.

Example of an Auto NAT command syntax:

asa(config)# object network private_ip_1
asa(config-network-object)# host 10.1.1.4
asa(config-network-object)# nat (dmz,outside) static 1.1.1.4

Manual NAT (with less preference):

Manual NAT again takes the 3rd Section, only this time its for a different purpose. As you might have understood that Manual NAT is preferred over Auto NAT, this Section of NAT helps you to alter that behavior. If you configure a Manual NAT and want it to be less preferred over an Auto NAT, then while creating it mention that this would be applied after the Auto NAT Section, thus placing such NAT rules in the 3rd Section.

Example of a Manual NAT after-auto command syntax:

asa(config)# object network private_ip_2
asa(config-network-object)# host 10.1.1.4
asa(config-network-object)# object network public_ip_2
asa(config-network-object)# host 1.1.1.4
asa(config-network-object)# exit
asa(config-network-object)# nat (dmz,outside) after-auto source static private_ip_2 public_ip_2

Static NAT/PAT, Dynamic NAT/PAT and Identity NAT can be configured either as a Manual NAT or an Auto NAT depending upon the requirement. But Policy NAT can be configured only using the Manual NAT because of it’s flexibility.

Below is the verification command showing the NAT rule order and the terms that are used to classify the NATs in different sections depending on the syntax used to configure it.

ciscoasa#show nat interface dmz detail
 Manual NAT Policies (Section 1)
1 (dmz) to (outside) source static private_ip public_ip
 translate_hits = 0, untranslate_hits = 0
 Source - Origin: 10.1.1.5/32, Translated: 1.1.1.5/32
Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static private_ip_1
 translate_hits = 0, untranslate_hits = 0
 Source - Origin: 10.1.1.4/32, Translated: 1.1.1.4/32
Manual NAT Policies (Section 3)
1 (dmz) to (outside) source static private_ip_2 public_ip_2
 translate_hits = 0, untranslate_hits = 0
 Source - Origin: 10.1.1.4/32, Translated: 1.1.1.4/32

Section 2 and Section 3 have a Static NAT rule that is for the same Source IP. By now you might have guessed which one is going to be used, right?

Yes, the one under Auto NAT because Section 2 is always preferred over Section 3. The sections are aligned in the order of their preference which cannot be modified, but you can change the order sequence of the NAT rules underneath the sections according to you requirement.

Access-control lists:

While configuring your ACLs, make sure you use the Real-IP/Pre-translated IP in them.

Inbound ACLs Pre 8.3:

access-list outside_access_in permit extended ip any host 1.1.1.4 log

Inbound ACLs Post 8.3:

access-list outside_access_in permit extended ip any host 10.1.1.4 log

That’s pretty much it on this topic. Hope this has been informative

Leave a comment