fir3net
PPS-Firenetbanner-780.5x190-30-03-17
  • Home
  • Articles
  • Firewalls
  • Cisco
  • Cisco ASA - Traffic Sent Out Incorrect Interface Due to NAT

Cisco ASA - Traffic Sent Out Incorrect Interface Due to NAT

Problem

Lets consider the following scenario. We have a firewall with 3 interfaces, Outside, Inside and DMZ. When traffic is sent to the DMZ segment, the NAT rule below is matched. This results in traffic being sent out of the outside interface, rather then out the DMZ interface. Surely this cant be right !

object-group network obj-insideips
  network-object host 10.1.1.45
  network-object host 10.1.1.46
 
object network OBJ-133.1.1.1
  host 133.1.1.1
 
object-group network obj-any
  network-object 0.0.0.0 0.0.0.0

nat (inside,outside) after-auto source static obj-insideips OBJ-133.1.1.1 destination static obj-any obj-any no-proxy-arp

Why?

The Cisco ASA deals with identity NAT (i.e a NAT configuration in which you need to translate an IP address to itself) in the following way,

  • 8.3(1) through 8.4(1) - The routing table is always used to determine the egress interface. 
  • 8.4(2) and later - The NAT configuration determines the egress interface, using the NAT divert feature. This feature means that any NAT rule that has a destination address for an IP that matches an inbound packet, this results in the packet being sent out the interface defined within the NAT rule. And the routing table is bypassed.

So, in the case of our example as we were defining the destination as any, this resulted in NAT divert being triggered and in turn the routing table being bypassed.

How about non-identity NAT?

If an inbound packet matches a NAT statements destination address,

  • if the destination interface IS defined within the NAT RULE then this will be used as the egress interface (again this is down to the NAT divert feature). To override this behaviour the keyword route-lookup can be appended to your NAT rule.
  • if the destination interface is NOT defined within the NAT rule then the ROUTING TABLE will determine the egress interface. 

Sources

Tags: ASA, Cisco, NAT

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001