The nat-control is over

Posted on July 17, 2011

0



In the old version of cisco firewalls – Version 6.x – it was not possible to disable nat control. After that cisco gave us the possibility to control it on our own with the command nat-control. This year in Version 8.3 not only the command nat-control, but the commands global, static and alias were deleted as well.
The nat configuration is now fast the same as the Checkpoint theory,  maybe cisco needs the checkpoint customers? :-)  And we Cisco Engineers should learn the complete nat configuration again.

Normal Nat exemption rule with the Version before 8.4:

nat (inside) 0 access-list nonat
access-list nonaz permit ip 40.0.0.0 255.255.255.0 20.0.0.0 255.0.0.0

Nat Exemption rule after 8.4:

nat (inside,any) source static obj-20.0.0.0 obj-20.0.0.0 destination static obj-40.0.0.0 obj-40.0.0.0 unidirectional

Important Notes from Release Notes in Version 8.3:

“(For upgrading from Version 8.2 and earlier to Version 8.3(2) and later) NAT exemption (the nat 0 access-list command) is migrated to a twice NAT rule with the unidirectional keyword. The unidirectional keyword only allows traffic on the source network to initiate connections. This migration change was made to fix CSCtf89372. Upgrading to Version 8.3(1) does not add the unidirectional keyword.
Note:
Because NAT exemption is normally bidirectional, you might need to remove the unidirectional keyword to restore the original function. Specifically, this change adversely affects many VPN configurations that include NAT exemption rules (see CSCti36048 for this new issue). To avoid manual intervention, we recommend upgrading to 8.3(1) first, and then upgrade to a later release.

If you are impacted by this issue, you will see a syslog message like the following:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src Outside:192.168.1.5 dst inside:10.10.5.20 (type 8, code 0) denied due to NAT reverse path failure

Link:
http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp415084

You must delete the unidirectional keyword in your exemption rule if you want it to work:

no nat (inside,any) source static obj-20.0.0.0 obj-20.0.0.0 destination static obj-40.0.0.0 obj-40.0.0.0 unidirectional
nat (inside,any) source static obj-20.0.0.0 obj-20.0.0.0 destination static obj-40.0.0.0 obj-40.0.0.0
Advertisement
Posted in: ASA, Cisco, Nat, Security