With Cisco ASA version 8.3, cisco has changed completelythe way NAT was working .
Let's try to sum up the changes and how NAT is working since version 8.3.
Nat-control feature
Nat-control has been deprecated since version 8.3 That means, that it is not necessary to NAT traffic from one interface to another, that is, from now on, all traffic will allowing without the need of nat rules (if access list allow the traffic of course)
Nat types
Other old commands in 8.2 and earlier versions are also deprecated, that includes global, static, alias.
In this new version, the NAT types are:
- Static NAT
- Dynamic NAT
- Dynamic Port Address Translation (PAT)
- Identity NAT
Dynamic NAT A group of real IP addresses mapped to a group of mapped IP addresses.
Dynamic Port Address Translation (PAT)—A group of real IP addresses are mapped to a single IP address.
Identity NAT A real address is statically transalted to itself, essentially bypassing NAT (nat 0 in ealier versions)
Implementing NAT rules
Depending the way with implement the NAT rules we find the following distiction:
- Network Object NATs
- Twice NAT
It compress all NAT rules that use an object network to configured them.
An example of a static NAT using object network is (instead of the static command used in version 8.2)
| hostname(config)# object network nat_object_1 hostname(config-network-object)# host 192.168.10.1 hostname(config-network-object)# nat (inside,outside) static 192.168.20.2 |
Twice NAT
Twice NAT lets you identify both the source and destination address in a single rule. In a way, it is the analog for using access-list in nat or static rules in version 8.2 and earlier.
As a prerequisite, it is necessary to configure network objects or network object groups for the real and the map addresses.
| object-group network object_nat_1 network-object 192.168.100.0 255.255.255.0 network-object 192.168.200.0 255.255.255.0 object network object_nat_2 subnet 172.16.10.0 255.255.255.0 nat (inside,outside) source static object_nat_1 object_nat_1 destination static object_nat_2 object_nat_2 |
It is case, we have defined a static nat and there is no translation for the source network address neither the destination (in case we would like to translate the source address or the destination address we would modify the second term in the source or destination accordingly).
Order of NAT rules
•
Section 1 (twice NAT rules)—These rules are assessed based on the order they appear in the configuration.
Section 1 (twice NAT rules)—These rules are assessed based on the order they appear in the configuration.•Section 2 (network object NAT rules)
Section 2 (network object NAT rules)•Section 3 (twice NAT rules that you specifically want to be evaluated after the network object NAT rules). You will need to introduce the after-auto command for that purpose. As an example:
To verify the order NAT rules are applied just type show nat and the firewall will show you the different NAT translations for the different sections.
Section 3 (twice NAT rules that you specifically want to be evaluated after the network object NAT rules). You will need to introduce the after-auto command for that purpose. As an example:| nat (inside,outside) after-auto source dynamic object_nat_1 interface |
To verify the order NAT rules are applied just type show nat and the firewall will show you the different NAT translations for the different sections.
Nice Article
ReplyDelete