topic Basic NAT Question in Network Security

Basic NAT Question

mbaker33 — Tue, 12 Mar 2019 03:15:00 GMT

Hello,

I'm new to the new NAT statements in the ASA configs. I've held off as long as I could, and now I am configuring a shiny new ASA 5525-X to replace our older 5520. Alas, I cannot hold off any more.

My question is, when I upgraded our ASA 5520 to 8.4.3, it converted old NAT to the new format for me. The issue comes where we have the same network natted twice. Once, it is NAT'd to another internal interface, and the other, it is NAT'd to the external interface of the ASA for internet access. Is it possible to have one object network line, with the two different NAT statements under it? Or are two objects required?

Here's the code example:

Existing:

object network obj-10.10.0.0

nat (inside,dmz) static 10.10.0.0

object network obj-10.10.0.0-01

nat (inside,outside) dynamic interface

I would like something like this if possible.:

object network obj-10.10.0.0

nat (inside,dmz) static 10.10.0.0

nat (inside,outside) dynamic interface

Basic NAT Question

Jouni Forss — Mon, 09 Dec 2013 17:57:01 GMT

Hi,

You WONT be able to have multiple "nat" statement under one "object network"

Its one "nat" command per "object"

The bad thing about letting the ASA convert the configuration is that it leaves a lot of useless configurations.

For example your first NAT configuration seems like a Static Identity NAT. Essentially it translates the address to itself between 2 interfaces of the ASA.

object network obj-10.10.0.0

nat (inside,dmz) static 10.10.0.0

In general you wont need such configurations on the new software as the ASA doesnt require you to have NAT between the interface if you dont want to have.

Though I can't tell you if you need this NAT configurations because there might be some other configuration present that would start NATing the source network if this wasnt present. A possible scenario might be that if you had some kind of Dynamic PAT/NAT between "inside" and "dmz".

If you want to look at some information about the new NAT format then I would suggest having a look at a document I wrote here:

https://supportforums.cisco.com/docs/DOC-31116

There is also a good document comparing the new and old format here:

https://supportforums.cisco.com/docs/DOC-9129

Hope this helps

- Jouni

Basic NAT Question

mbaker33 — Tue, 10 Dec 2013 14:37:29 GMT

Thank you Jouni,

I suspected that was the case, but I am trying to keep the config clean. The new NAT methods are so different, I'll read your links and hopefully make sense of it. I believe the two config examples I gave are both necessary. One allows communication to our DMZ, and the other is our Global NAT to the internet from what I understand.

Again, thanks for the info.