Monday, 1 April 2013

NAT configuration in Cisco ASA 8.4

NAT in Cisco ASA 8.3 and 8.4

With Cisco ASA version 8.3, cisco has changed completelythe way NAT was working .
Let's try to sum up the changes and how NAT  is working since version 8.3.

Nat-control feature 

Nat-control has been deprecated since version 8.3 That means, that it is not necessary to NAT traffic from one interface to another, that is, from now on, all traffic will allowing without the need of nat rules (if access list allow the traffic of course)

Nat types

Other old commands in 8.2 and earlier versions are also deprecated, that includes global, static, alias.

In this new version, the NAT types are:
  •  Static NAT
  • Dynamic NAT
  • Dynamic Port Address Translation (PAT)
  • Identity NAT
Static NAT:  A mapping between a real and a mapped IP address.
Dynamic NAT A group of real IP addresses mapped to a group of mapped IP addresses.
Dynamic Port Address Translation (PAT)—A group of real IP addresses are mapped to a single IP address.
Identity NAT  A real address is statically transalted to itself, essentially bypassing NAT (nat 0 in ealier versions)

Implementing NAT rules

Depending the way with implement the NAT rules we find the following distiction: 
  • Network Object NATs
  • Twice NAT
Network Object NATs

It compress all NAT rules that use an object network to configured them.

An example of a static NAT using object network is (instead of the static command used in version 8.2)

hostname(config)# object network nat_object_1
hostname(config-network-object)# host 192.168.10.1
hostname(config-network-object)# nat (inside,outside) static 192.168.20.2

Twice NAT

Twice NAT lets you identify both the source and destination address in a single rule. In a way, it  is the analog for using access-list in nat or static rules in version 8.2 and earlier.

As a prerequisite, it is necessary to configure network objects or network object groups for the real and the map addresses. 


object-group network object_nat_1
network-object 192.168.100.0 255.255.255.0
network-object 192.168.200.0 255.255.255.0
object network object_nat_2
subnet 172.16.10.0 255.255.255.0
nat (inside,outside) source static object_nat_1 object_nat_1 destination static object_nat_2 object_nat_2

It is case, we have defined a static nat and there is no  translation for the source network address neither the destination (in case we would like to translate the source address or the destination address we would modify the second term in the source or destination accordingly).

Order of NAT rules

Section 1 (twice NAT rules)—These rules are assessed based on the order they appear in the configuration.
Section 2 (network object NAT  rules)
Section 3 (twice NAT rules that you specifically want to be evaluated after the network object NAT rules).  You will need to introduce the after-auto command for that purpose. As an example:

nat (inside,outside) after-auto source dynamic object_nat_1 interface

To verify the order NAT rules are applied just type show nat and the firewall will show you the different NAT translations for the different sections.