Understanding NAT and NAT Rule Order (ASA 8.3/8.4)


First of all, there is no such thing as ‘nat-control’ any more so you either define a NAT or you don’t. Traffic that does not match any NAT rules will be allowed to bypass the firewall without any translation (like NAT exemption but without explicitly configuring it, more like an implicit NAT exemption). The  static and global keywords are deprecated, now its all about ‘nat’.

In ASA 8.3 and above, Cisco has come up with two ‘major’ categories/sections of NAT; Manual NAT and Auto NAT. In Cisco’s documentation they have used the terms Twice NAT and Network Object NAT respectively, but in the show command’s output NAT rules are classified under Manual and Auto.

Manual NAT (Twice NAT):

It is done in the global configuration mode and can NAT based on either the source IP, the destination IP or both. This is the most preferred Section of NAT. Cisco refers this as Twice NAT in their documentation (being called as Twice NAT does not necessarily mean having the properties of Twice NAT). The NAT rules belonging to this Section are found in the Section 1 of the NAT rule table. Any type of NAT rule configured using the Manual NAT/Twice NAT syntax will be preferred over a NAT rule configured using the Auto NAT/Network Object NAT syntax, provided it is for the same source host/subnet.

Example of a Manual NAT command syntax:

asa(config)# object network private_ip
asa(config-network-object)# host 10.1.1.5
asa(config-network-object)# object network public_ip
asa(config-network-object)# host 1.1.1.5
asa(config-network-object)# exit
asa(config)# nat (dmz,outside) source static private_ip public_ip

Auto NAT (Network Object NAT):

This is done inside an object and performs NAT based on the source IP only. Cisco calls this as Network Object NAT in their documentation. This is the second preferred Section of NAT. These NATs are found in the Section 2 of the NAT rule table. Any type of NAT rule configured using the Auto NAT/Network Object NAT syntax will be less preferred over a NAT rule configured using the Manual NAT/Twice NAT syntax, provided it is for the same source host/subnet.

Example of an Auto NAT command syntax:

asa(config)# object network private_ip_1
asa(config-network-object)# host 10.1.1.4
asa(config-network-object)# nat (dmz,outside) static 1.1.1.4

Manual NAT (with less preference):

Manual NAT again takes the 3rd Section, only this time its for a different purpose. As you might have understood that Manual NAT is preferred over Auto NAT, this Section of NAT helps you to alter that behavior. If you configure a Manual NAT and want it to be less preferred over an Auto NAT, then while creating it mention that this would be applied after the Auto NAT Section, thus placing such NAT rules in the 3rd Section.

Example of a Manual NAT after-auto command syntax:

asa(config)# object network private_ip_2
asa(config-network-object)# host 10.1.1.4
asa(config-network-object)# object network public_ip_2
asa(config-network-object)# host 1.1.1.4
asa(config-network-object)# exit
asa(config-network-object)# nat (dmz,outside) after-auto source static private_ip_2 public_ip_2

Static NAT/PAT, Dynamic NAT/PAT and Identity NAT can be configured either as a Manual NAT or an Auto NAT depending upon the requirement. But Policy NAT can be configured only using the Manual NAT because of it’s flexibility.

Below is the verification command showing the NAT rule order and the terms that are used to classify the NATs in different sections depending on the syntax used to configure it.

ciscoasa#show nat interface dmz detail
 Manual NAT Policies (Section 1)
1 (dmz) to (outside) source static private_ip public_ip
 translate_hits = 0, untranslate_hits = 0
 Source - Origin: 10.1.1.5/32, Translated: 1.1.1.5/32
Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static private_ip_1
 translate_hits = 0, untranslate_hits = 0
 Source - Origin: 10.1.1.4/32, Translated: 1.1.1.4/32
Manual NAT Policies (Section 3)
1 (dmz) to (outside) source static private_ip_2 public_ip_2
 translate_hits = 0, untranslate_hits = 0
 Source - Origin: 10.1.1.4/32, Translated: 1.1.1.4/32

Section 2 and Section 3 have a Static NAT rule that is for the same Source IP. By now you might have guessed which one is going to be used, right?

Yes, the one under Auto NAT because Section 2 is always preferred over Section 3. The sections are aligned in the order of their preference which cannot be modified, but you can change the order sequence of the NAT rules underneath the sections according to you requirement.

Access-control lists:

While configuring your ACLs, make sure you use the Real-IP/Pre-translated IP in them.

Inbound ACLs Pre 8.3:

access-list outside_access_in permit extended ip any host 1.1.1.4 log

Inbound ACLs Post 8.3:

access-list outside_access_in permit extended ip any host 10.1.1.4 log

That’s pretty much it on this topic. Hope this has been informative. :-)

If you found this helpful you might want to bookmark the following link for detailed posts on different types of NAT > https://networkology.net/tag/nat

Advertisements

13 thoughts on “Understanding NAT and NAT Rule Order (ASA 8.3/8.4)

  1. Its really very helpful topic covered. I Was not aware of the difference between the auto and manual nat and its sections. Now it has been cleared and it will help me a lot.
    Thanks to gentleman who wrote a good topic.
    NAVEEN MALIK

  2. Fantastic article. I ran into an issue during a PIX 8 -> ASA 8.4 migration where my outside ACL’s were not working. I didn’t know I needed to use the pre-translated IP!

  3. Hi Shoaib,

    Thanks for the note…

    I have one doubt from some time regarding ASA which comes first routing or natting when it comes to packet flow?

    Thanks!!!

  4. I had actually verified this in my lab but can’t remember it at the back of my mind.

    There is a Cisco doc on the packet flow in ASA’s. Let me find that doc and link it here.

    Sorry for the much delayed response, have been very busy for a while.

  5. Hi Shoaib,

    Your article is really good, it gives me a clear picture about the natting preferences for different sections, however i have a clients’ firewall and there is natting happening between several interfaces on firewall, some of them are on high security level and some on lower, though i see the statements for natting in both the directions (i understand that static natting is bidirectional , however i doubt if manual, auto or after nat is also bidirectional or not.)

    Could you please explain that.

    Thanks:
    Ashish

  6. Hi Ashish,

    I’m glad to know the post is still helping people out there :)

    Yes, Static NAT is bi-directional. Manual and Auto NAT are just different sections in the unified NAT table that define the NAT preference based on the line number. You can have a Static NAT defined/configured as a Manual or Auto NAT.

    With Manual NAT you have more control over when the NAT is supposed to kick in. With Auto NAT it just NATs irrespective of the destination the source is going to.

    Hope that gives some perspective. :)

    Thanks,
    Shoaib

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s