Mar 27, 2015

Dynamic NAT and no matching global

The ASA translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues. A single dynamic NAT overload rule is created with the following commands:

nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 interface


Therefore any packet coming from 192.168.0.0/24 and going to the Internet, is translated to the outside interface address.

However, ASA 8.2 adds the following entries to the NAT table when you multiple active interfaces and a nat statement is defined:

match ip inside 192.168.0.0 255.255.255.0  outside any
    dynamic translation to pool 1 (192.0.2.1 [Interface PAT])
match ip inside 192.168.0.0 255.255.255.0  DMZ any
    dynamic translation to pool 1 (No matching global)
match ip inside 192.168.0.0 255.255.255.0  Guest any
    dynamic translation to pool 1 (No matching global)


It creates translation conditions for all the active interfaces, but if global statements are not defined for all of them, packets will be dropped due to "no matching global". In other words, the translation rule is not complete and the ASA cannot process the packet.
Then, if we have traffic going to networks connected to the other interfaces and translations are not required, we must create additional rules to handle exceptions (NAT exempt or NAT 0 or NONAT rules).

ASA 8.3 and later releases do not create those additional translation conditions, then NAT exempt rules for other interfaces are not required. This is a NAT table on new releases for the scenario described above:

1 (inside) to (outside) source dynamic net-192.168.0.0-24 interface

2 comments:

  1. i have a list of Private Ip's that in mapped to a list of Global IP's
    (so if i have in my network 10 PC's and 10 Global IP's everything works fine, but if i add one more pc and all of the 10 PC's are connected to Internet, the last one i ve just added will not be able to reach Internet). The solution for this problem is Dynamic Nat with overload?
    Each system also connected with Expressvpn client

    ReplyDelete
  2. I met the same issue with Jack, but my each system connected with IPVANISH client.

    ReplyDelete