P
P
paralon2013-07-24 09:23:46
Computer networks
paralon, 2013-07-24 09:23:46

How does NAT work on ASA 8.2?

Good afternoon, dear ones!
The help of experienced people is needed in understanding the operation of NAT rules on Cisco ASA in software version below 8.3.

There is a simple standard scheme.
A.S.A. It has three interfaces:
- inside. 192.168.1.0/24. security-level 100
- outside. 100.100.100.2/30. secity-level 0. To simplify, let's take what looks directly at the provider with the ip-address 100.100.100.1/30
- DMZ. 172.16.1.0./24. security-level 50.

The default route is to outside.

Let's say I want to release everyone from inside to the Internet through a dynamic PAT to the interface address. Do:

nat (inside) 1 192.168.1.0 255.255.255.0
global (outiside) 1 interface

As I understand this rule. If a packet with src ip from mesh 192.168.1.0/24 in dst ip has anything beyond outside set it to 100.100.100.2.

Everything works - packets run to the Internet. But the packets do not run with such settings from inside to the DMZ. nat-corntrol is disabled.
Packets start running if I add nat (inside) 0 with the appropriate ACL like pemit ip 192.168.1.0/24 172.16.1.0/24. Well, that is, I explicitly indicate in which case NAT is not needed.

Obviously, I do not understand the NAT rule created above correctly, and it should be understood as follows - If a packet with src ip from the 192.168.1.0/24 mesh runs anywhere , send it to 100.100.100.2.
This seems somewhat illogical to me, otherwise why specify the interface name (outisde) in the global?

Attention question. How do you correctly understand the described nat-rule? And is it possible to make the scheme workable without "nat 0" rules?

Thanks in advance

Answer the question

In order to leave comments, you need to log in

1 answer(s)
M
Manitou, 2013-07-24
@Manitou

Below is a quote from the manual for version 8.2:

NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule; for any host on the inside network to access a host on the outside network, you must configure NAT to translate the inside host address.
Source
When NAT control is disabled with the no-nat control command, and a NAT and a global command pair are configured for an interface, the real IP addresses cannot go out on other interfaces unless you define those destinations with the nat 0 access-list command .
Source
Everything works absolutely correctly and you understood the logic of the rule correctly.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question