Cisco ASA PRE_8.3 and POST_8.3 NAT Operations

max_the_king
CERTIFIED EXPERT
Published:
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a
glance.

You may as well want to read official Cisco published ASA 8.3 migration guide:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
Please refer to it for all NAT migration explanation

Cisco ASA firewalls support a few types of address translations: most common are the following:

Dynamic NAT translation: It is used for outbound communication only, and the most popular case is when you want your internal LAN to go out to the Internet with a public IP address.

PRE_8.3
ciscoasa (config)# nat (inside) 1 192.168.1.0 255.255.255.0 
                      ciscoasa (config)# global (outside) 1 interface

Open in new window



As you can see, the "nat" and "global" keywords work together: basically the pix/asa use its outside interface address to let clients go out on the internet by creating a translation rule and hiding their real IP address and managing more connections by creating sockets that remains unique because they are differentiated by the tcp/udp port assigned in each socket.

POST_8.3
ciscoasa (config)# object network internal_LAN
                      ciscoasa (config-network-object)# subnet 192.168.1.0 255.255.255.0
                      ciscoasa (config-network-object)#  nat (inside,outside) dynamic interface

Open in new window


Here you see a big architectural difference: now translations are managed with object-like programming; you no more have the nat-global couple: instead ip addressing is referenced by object. The functional result is really the same, but architectural design of NAT and flexibility in changing configuration is quite different.

Static NAT translation: Static NAT is used for Bidirectional communication. You want to use it when you need to publish a server on the internet.

PRE_8.3
ciscoasa (config)# static (DMZ , outside) 1.2.3.4 10.0.0.1 netmask 255.255.255.255

Open in new window



POST_8.3
ciscoasa (config)# object network webserver_PublicIP 
                      ciscoasa (config-network-object)# host 10.0.0.1 
                      ciscoasa (config-network-object)# nat (DMZ , outside) static 1.2.3.4

Open in new window



Please note that the access-list that will allow traffic on port 80 of the webserver must point to the real IP address (10.0.0.1) and this is different from the old configuration (which pointed to the public IP address).

NAT Exempt: it is usually used for vpn connections.

Once you have configured Dynamic NAT on the ASA firewalls to allow the private LAN networks to access the Internet, should you want to implement a vpn tunnel (either site-to-site or remote access), you need to make sure that traffic which will pass through the VPN tunnel will be excluded from any NAT operation. Thus you need to "exempt" NAT from the LANs which you want to connect with IPSEC tunnel: this is done in a different way, depending on the version of ASA (pre or post 8.3).

PRE_8.3
ciscoasa (config)# access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
                      ciscoasa (config)# nat (inside) 0 access-list NONAT

Open in new window


POST_8.3

ASA 1:

ASA1(config)# object network internal_LAN
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# exit
ASA1(config)# object network external_LAN
ASA1(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA1(config-network-object)# exit
ASA1(config)# nat (inside,outside) 1 source static internal_LAN internal_LAN destination static external_LAN external_LAN

ASA 2:

ASA2(config)# object network internal_LAN
ASA2(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA2(config-network-object)# exit
ASA2(config)# object network external_LAN
ASA2(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA2(config-network-object)# exit
ASA2(config)# nat (inside,outside) 1 source static internal_LAN internal_LAN destination static external_LAN external_LAN


Just a quick word on NAT-control functionality. Back in the day on the PIX, it was absolutely necessary to NAT between interfaces. The ASA does not have this requirement. The default command no nat-control makes this happen. With no NAT control configured, we have no requirement to NAT. We can still do so if we really want, but it is not mandatory. If we want the ASA to act like the old PIX firewall we can add nat-control to make that happen (but I wouldn't do that, as I never liked it very much).

Hope this helps to clarify the main syntax differences, but I believe that will be worth to go deep into cisco documents and guides to better understand all the implications.

max
2
5,703 Views
max_the_king
CERTIFIED EXPERT

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.