Hello:

This is my first question on this forum.

I am looking at a config on a 5550 FW, and am trying to make sense of the syntax of the following rules. I have been to the Cisco site, but can't find much on the syntax.

Any help with the code, or even better, a link to some doc that can explain this code, would be wonderful.

Here is a chunk of rules:

Prim_Pub has been defined using the nameif statement on port 0/0, no logical interface.
It has a public IP of xxx.xxx.40.19
Lan_Ext has been defined as well, on logical port 0/1.2, with an address of 192.168.13.2
restricted had been defined on logical port 0/1.3, with an address of 192.168.70.1
Prod has been defined on logical port 0/1.40, with an address of 172.10.0.1

nat-control has been implemented

Now the commands, which I am struggling with.
Questions interspersed with each command:

global (Prim_Pub) 1 interface
global (Prim_Pub) 2 zzz.zzz.123.17 netmask 255.255.255.255
What does the "1" and "2" refer to?
What does the word "interface" refer to?
global (LANx) 102 interface
What does the "102" refer to?
global (restricted) 1 interface
nat (Lan_Ext) 0 access-list LANx_nat0_outbound
What does the "0" refer to?
nat (Lan_Ext) 2 192.168.5.0 255.255.255.0
nat (Lan_Ext) 102 0.0.0.0 0.0.0.0
I have no clue what this line above is doing.
nat (restricted) 0 access-list restricted.30_nat0_outbound
nat (restricted) 0 192.168.30.0 255.255.255.0
nat (restricted) 1 0.0.0.0 0.0.0.0
I have no clue what this line above does.
nat (Prod) 0 access-list no-nat
nat (Prod) 0 access-list Production_nat0_inbound outside
nat (Prod) 1 172.10.0.0 255.255.0.0
The line above, what is it doing? Is it not nat'ing to its own subnet?

what version of code ? NAT configs change in 8.2+

NAT and Global statement usually go together, the numbers correlate which are NAT/Global pairs.

NAT 0 refers to something called identify NAT, things that don't get NATed

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

The box is way downlevel in code, 7.1.2.
It has to be upgraded to 8.3, which means doing away with the nat-control commands.
But first I have to understand the existing commands, and I am pretty lost.

What does the word "interface" refer to? It shows up in several lines.
Same for "2" and "102"?

example

global (LANx) 102 interface

would be the LANX interface
or
the ip address of that tinterface,

maybe that is a bad example

global (Prim_Pub) 1 interface
the NAT traffic would be presented as xxx.xxx.40.19

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

The numbers are IDs for your NAT statements, you need to match the global and corresponding nat to understand them. They're just numbers to seperate the different statements (except 0, which is for nat exemption)



For NAT ID 1: When you get traffic from "Prod" with the 172.10.0.0/16 subnet that goes to somewhere in the "Prim_Pub" or "restricted" (your globals) zones, that subnet will get source NAT'ed to the interface IP of the corresponding zone. All traffic coming from "restricted" going to "Prim_Pub" will get NAT'ed to the interface IP.



For NAT ID 2: When traffic from "Lan_Ext" matching the 192.168.5.0/24 subnet goes to somewhere in the "Prim_Pub" (internet), that subnet will get source NAT'ed to the zzz.zzz.123.17/32 address.




For NAT ID 102: All traffic coming from "Lan_Ext" that is going to somewhere in the "LANx" zone will get source NAT'ed to that zone's interface IP address.




NAT 0: This is for NAT exemptions. You use this when you want to permit high-security to low-security traffic without having to NAT the sources to the interface IP address of the low-security zone. This essentially NATs the source IP to itself, which satisfies the nat-control requirements.

Hope this helps.

Fantastic you two!

Both of you have helped me greatly!

Much appreciated.
This definitely gives me something to work with, albeit slowly and carefully.

OK, while what you have given me is a great help, can you further help me interpret this:

3 interfaces, 2 that I have presented before:

0/0 = Prim_Pub, Public IP of It has a public IP of xxx.xxx.40.19, mask of 255.255.255.248
0/1.2 = Lan_Ext, with an address of 192.168.13.2, mask if 255.255.255.0
0/1.61 = VPN, with an address of 192.168.109.1, mask of 255.255.255.0



I can see if I have 2 interfaces associated with the same ID, it is pretty clear how the traffic can flow.
But here I have 3 interfaces. And what is more difficult for me to understand is I have 2 local interfaces (Lan_Ext and VPN), that are defined different subnets (that parts makes sense), but they are limiting traffic on the same subnet, 192.168.5.0.

Do these three lines of code say that any traffic destined for the 192.168.5.0 network that is coming from the 192.168.13.0 network or the 192.168.109.0 network will be source NAT'ed to the zzz.zzz.123.17 address?

The subnets you specify after the "nat (zone) <id>" command are always source networks, not destination.

The way you have it written right now reads like so:

-If I see traffic coming on my Lan_Ext interface sourced with 192.168.5.0/24, I will NAT/PAT that host to zzz.zzz.123.17
-If I see traffic coming on my VPN interface sourced with 192.168.5.0/24, I will NAT/PAT that host to zzz.zzz.123.17

Obviously this doesn't make much sense since you wouldn't have the same network coming from two different interfaces.

NAT/PAT Reference for ASA 8.2 and less: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_dynamic.html

I think we are on the same page here Mendlar.
If I am understanding what you are saying, and I agree, there is no way BOTH of these lines of code can be correct:



Like I said I am trying to figure out some existing firewall rules, and have found other issues.