Re: PIX/ASA NAT

From: Funky LePew (funkylepew-ccie@yahoo.com)
Date: Wed Jun 25 2008 - 18:02:28 ART

ok iB verified from the docs... the natting does use best match, unlike the statics.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html
Order of NAT Commands Used to Match Real Addresses
The security appliance matches real addresses to NAT commands in the following order:
1. NAT exemption (nat 0 access-list)bIn order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.
2. Static NAT and Static PAT (regular and policy) (static)bIn order, until the first match. Static identity NAT is included in this category.
3. Policy dynamic NAT (nat access-list)bIn order, until the first match. Overlapping addresses are allowed.
4. Regular dynamic NAT (nat)bBest match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NATstatement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the security appliance.
for some reason the 6.3 documentation is better a lot of times.
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129
Order of NAT Commands Used to Match Local Addresses
The firewall matches local traffic to NAT commands in the following order:
1. nat 0 access-list (NAT exemption)bIn order, until the first match. For example, you could have overlapping local/destination addresses in multiple nat commands, but only the first command is matched.
2. static (static NAT)bIn order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.
3. static {tcp | udp} (static PAT)bIn order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.
4. nat nat_id access-list (policy NAT)bIn order, until the first match. For example, you could have overlapping local/destination ports and addresses in multiple nat commands, but only the first command is matched.
5. nat (regular NAT)bBest match. The order of the NAT commands does not matter. The nat statement that best matches the local traffic is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you also create a statement to translate only 10.1.1.1, when 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the local traffic best.
If you configure multiple global statements on the same NAT ID, the global statements are used in this order:
1. No global if using nat 0 (identity NAT).
2. Dynamic NAT global.
3. PAT global.

----- Original Message ----
From: Sushil Choudhary <suschoud@cisco.com>
To: Swap <ccie77@gmail.com>; Tim <ccie2be@nyc.rr.com>; Naji Talj <ntalj@dcgroup.com>; security@groupstudy.com
Cc: Cisco certification <ccielab@groupstudy.com>
Sent: Wednesday, June 25, 2008 2:52:28 PM
Subject: Re: PIX/ASA NAT

The rules are tried in order.

B B 1) nat 0 access-list (nat-exempt)
B B 2) match against existing xlates
B B 3) static
B B B a) static nat with and without access-list (first match)
B B B b) static pat with and without access-list (first match)
B B 4) nat
B B B a) nat <id> access-list (first match)
B B B B Note: nat 0 access-list is not part of this command.
B B B b) nat <id> <address> <mask> (best match)
B B B B Note:B When choosing a global address from multiple pools with
B B B B B B the same nat id, the following order is tried
B B B B B B i) if the id is 0, create an identity xlate.
B B B B B B ii) use the global pool for dynamic NAT
B B B B B B iii) use the global pool for dynamic PAT
B B 5) Error

Regards,
Sushil Choudhary
#20683
----- Original Message -----
From: "Swap" <ccie77@gmail.com>
To: "'Tim'" <ccie2be@nyc.rr.com>; "'Naji Talj'" <ntalj@dcgroup.com>;
<security@groupstudy.com>
Cc: "'Cisco certification'" <ccielab@groupstudy.com>
Sent: Wednesday, June 25, 2008 10:50 AM
Subject: RE: PIX/ASA NAT

> On PIX and ASA,
>
> 1. For regular NAT (with out ACL), it's the best match
> 2. For NAT with ACL, it's the first match
> 3. For statics (NAT AND PAT) it's the first match
>
>
> On FWSM
> Point 1 and 2 are same, but Point 3 is different -
> 1. For regular NAT (with out ACL), it's the best match
> 2. For NAT with ACL, it's the first match
> 3. For statics (NAT AND PAT) it's the longest prefix match
>
>
> As per Cisco, local addresses in Statics can't be repeated. But in reality
> it can be, and the order is important. In case a Static PAT is added
> first,
> it will work even if the local addr is repeated
>
> e.g.B This PAT will work
> stat (i,o) tcp 200.1.1.1 99 192.168.100.1 80
> stat (i,o) 200.1.1.1 192.168.100.1
>
>
> This PAT will not be allowed to be applied
> stat (i,o) 200.1.1.1 192.168.100.1
> stat (i,o) tcp 200.1.1.1 99 192.168.100.1 80
>
>
> HTH
>
>
> Swap
> #19804
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Tim
> Sent: Wednesday, June 25, 2008 5:33 PM
> To: 'Naji Talj'; security@groupstudy.com
> Cc: 'Cisco certification'
> Subject: RE: PIX/ASA NAT
>
> Hey Naji,
>
> Did you know there's another post that says the exact opposite !!!
>
> How sure are you?
>
> I figure the nat statements are processed more like a route table -
> longest
> match wins.
>
> But, a post yesterday, says it's really like how an ACL is processed.
>
> I don't know who is correct but I know you can't both be correct.
>
>
>
> -----Original Message-----
> From: Naji Talj [mailto:ntalj@dcgroup.com]
> Sent: Wednesday, June 25, 2008 8:13 AM
> To: Tim
> Subject: RE: PIX/ASA NAT
>
> Hi Tim,
>
> The sequence doesn't matter the most matching entry executes
>
> Rgds,
>
>
> Naji Talj
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Tim
> Sent: Tuesday, June 24, 2008 8:28 PM
> To: security@groupstudy.com
> Subject: PIX/ASA NAT
>
> Hi Guys,
>
>
>
> Does it matter in which order I enter nat commands?
>
>
>
> For example,
>
>
>
> nat (inside) 1 192.10.1.0 255.255.255.0
>
> nat (inside) 2 0 0
>
>
>
>
>
> (Assume I have the correct globals.)
>
>
>
> versus
>
>
>
> nat (inside) 1 0 0
>
> nat (inside) 2 192.10.1.0 255.255.255.0
>
>
>
> Given these config snippets, will the same thing happen for a packet
> with a
> source address of 192.10.1.x with either config?
>
>
>
> If so, is the reason because nat commands are evaluated like a route
> table
> ie most specific match takes precedence?
>
>
>
> Thanks, Tim
>
>
> No virus found in this incoming message.
> Checked by AVG.
> Version: 8.0.101 / Virus Database: 270.4.1/1517 - Release Date:
> 6/24/2008 8:41 PM

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:23 ART