Cisco ASA – Traffic Sent Out Incorrect Interface Due to NAT

Problem

Lets consider the following scenario. We have a firewall with 3 interfaces, Outside, Inside and DMZ. When traffic is sent to the DMZ segment, the NAT rule below is matched. This results in traffic being sent out of the outside interface, rather then out the DMZ interface. Surely this cant be right !

object-group network obj-insideips
  network-object host 10.1.1.45
  network-object host 10.1.1.46
 
object network OBJ-133.1.1.1
  host 133.1.1.1
 
object-group network obj-any
  network-object 0.0.0.0 0.0.0.0

nat (inside,outside) after-auto source static obj-insideips OBJ-133.1.1.1 destination static obj-any ob
j-any no-proxy-arp

Why?

The Cisco ASA deals with identity NAT (i.e a NAT configuration in which you need to translate an IP address to itself) in the following way,

• 8.3(1) through 8.4(1) – The routing table is always used to determine the egress interface.
• 8.4(2) and later – The NAT configuration determines the egress interface, using the NAT divert feature. This feature means that any NAT rule that has a destination address for an IP that matches an inbound packet, this results in the packet being sent out the interface defined within the NAT rule. And the routing table is bypassed.

So, in the case of our example as we were defining the destination as any, this resulted in NAT divert being triggered and in turn the routing table being bypassed.

How about non-identity NAT?

If an inbound packet matches a NAT statements destination address,

• if the destination interface IS defined within the NAT RULE then this will be used as the egress interface (again this is down to the NAT divert feature). To override this behaviour the keyword route-lookup can be appended to your NAT rule.
• if the destination interface is NOT defined within the NAT rule then the ROUTING TABLE will determine the egress interface.

Sources

• http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html
• http://packetpushers.net/understanding-when-a-cisco-asa-nat-rule-can-override-the-asa-routing-table/

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial