Wednesday, June 12, 2013

Cisco ASA: NAT Statement Order Does Matter

Ok, so I came across this today and I thought this was interesting.  On the Cisco ASA (and really all other firewalls), your NAT statement order does matter.  I had a case today where a remote group (5.5.5.5) was trying to send traffic TO my customer end, and they did not get a response back.  As it turns out, my statement in RED below was causing the problem.  The remote side was trying to get to obj-192.168.10.94, but the statement in RED was causing that internal server of 192.168.10.94 to get NAT'ed to any IP in the 78.78.78.0 subnet range.  Notice the order below:

nat (inside,outside) source static obj-192.168.10.90 obj-78.78.78.90 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.26 obj-78.78.78.91 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.1 obj-78.78.78.92 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.42 obj-78.78.78.93 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.0 obj-78.78.78.0 destination static obj-5.5.5.0 obj-5.5.5.0
nat (inside,outside) source static obj-192.168.10.94 obj-78.78.78.94 destination static obj-5.5.5.5 obj-5.5.5.5

So, what I had to do was take the statement out, and then put it back in again.  But putting it back in looked like this instead:
nat (inside,outside) 1 source static obj-192.168.10.94 obj-78.78.78.94 destination static obj-5.5.5.5 obj-5.5.5.5

Notice the "1" in the above statement.  It simply means to put that statement on line 1 in the 'NAT' order.  It will then look like this:

nat (inside,outside) source static obj-192.168.10.94 obj-78.78.78.94 destination static obj-5.5.5.5 obj-5.5.5.5 
nat (inside,outside) source static obj-192.168.10.90 obj-78.78.78.90 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.26 obj-78.78.78.91 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.1 obj-78.78.78.92 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.42 obj-78.78.78.93 destination static obj-5.5.5.5 obj-5.5.5.5
nat (inside,outside) source static obj-192.168.10.0 obj-78.78.78.0 destination static obj-5.5.5.0 obj-5.5.5.0

After I made this change, the remote site could get to the 192.168.10.94 server and all was in good working order.  So, if you ever wondered if the NAT statement order ever mattered, well, it does.  This was a good case study for this particular kind of problem. 
Posted by

1 comment:

  1. AnonymousFebruary 17, 2015 at 8:49 PM

    thank you. This is excellent. you should work for cisco

    ReplyDelete

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)