RE: [OT] - ASA 8.3+ Twice NAT w/DNS doctoring vs ASA 8.2 Policy from Ryan West on 2012-05-11 (Ccielab archives 05/2012)

From: Ryan West <rwest_at_zyedge.com>
Date: Fri, 11 May 2012 14:13:47 +0000

On Fri, May 11, 2012 at 06:57:32, Carlos G Mendioroz wrote:
> Subject: Re: [OT] - ASA 8.3+ Twice NAT w/DNS doctoring vs ASA 8.2
> Policy
>
> Sorry if this is too naive.
> But can't you comply with the explicit requirement of not specifying
> the destination by, e.g., dedicating an interface to the given network ?

That would work if we wanted to provide the shift of IP addresses only. However, it would affect all other outbound traffic. Unfortunately, I'm going to need to eat my cake too.

When I first read your comment, I was thinking about what the point of DNS on twice NAT was when you cannot specify a destination. But it does save you headache of typing out 1:1 NAT's for each address in a subnet and then specifying DNS for all them.

For my implementation, twice NAT without a destination used early breaks any public facing services. Used later, breaks dynamic NAT. Even if they didn't need outbound NAT, it would still only work for devices that don't already have a public NAT.

Well, I guess you've made me think outside the box here... I remember setting up a VPN with a partner running ScreenOS who was convinced the only way to configure the tunnel was route based, meaning you need to specify any any for your proxies and then route through it. It's not a problem to another Screen/Juniper device, but required a little reverse engineering to work with Cisco. Ended up having to use deny statements for all traffic not matching the destination I wanted to reach and then a catch all permit at the end to form the proxy. I think I can use that same logic to create twice NAT's for public services and address dynamic outbound PAT using the an object-group that contains all non-RFC1918 addressing. Then the catch all at the bottom of the should work without specifying a destination. Still a kludge though :)

> I guess the feature was not "fixable" in some topologies and they
> decided to kill it not to deal with complains...
>

Or leave it enabled, but make it an incredible PIA.

-ryan

Blogs and organic groups at http://www.ccie.net
Received on Fri May 11 2012 - 14:13:47 ART

This archive was generated by hypermail 2.2.0 : Sun Jun 17 2012 - 09:04:19 ART