04-08-2012 07:28 AM - edited 03-11-2019 03:51 PM
8.3x--> I am so frustrated with this new code cisco released
NATs are becomign more and more painful in 8.3x release and I am affraid to upgrade our clients ASAs to this new code. NAT statements make absolutely no sense and troubleshooting is even harder now on the new code. My collegeu spent two hours troulbehsooting mail server nat config just the other day on a client ASA that was running 8.3x code.. Am I the only one complaining about this new code ?
04-08-2012 08:00 AM
I was also frustrated in the beginning, but now it absolutely makes sense. It's a lot more powerful than it used to be, so I recommend learning it and getting used to it.
The first thing to remember is that there are now two sections: Manual-nat and Auto-nat. Manual goes first then goes auto. Manual entries can also be put after auto. Manual entries are ordered, auto entries are not.
The confusing part is that in a lot of cases the same result can be achieved with manual-nat command and with auto-nat command. I prefer manual nats as they are also one-liners. For example, the old nat (inside) 1 0 0 + global (outside) 1 interface can be achieved with manual nat:
nat (inside,outside) source dynamic any interface
or with auto nat:
object network obj-any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
two different commands, same result, you choose which one you like.
Another example, static NAT using manual nat:
object network obj-EXTERNAL
host 5.5.5.5
object network obj-INTERNAL
host 10.0.0.1
!
nat (inside,outside) source static obj-INTERNAL obj-EXTERNAL
or with auto nat:
object network obj-EXTERNAL
host 5.5.5.5
object network obj-INTERNAL
host 10.0.0.1
nat (inside,outside) static obj-EXTERNAL
Two commands, same result. Well actually there are a few little differences but they have to do with the inspection engine, but in most situation you don't think about these things (I do in SIP deployments).
Also get used to "show nat" command, it shows you exactly what you have configured. Good output.
The other thing to get used is that you have to use internal IPs of real hosts in the outside ACLs. Before 8.3, you had to use external IPs for your mapped hosts.
04-08-2012 08:35 AM
Thanks for the quick tip roman
So how does PAT works on the new code ? sorry I haven't loaded new code on my lab asa yet (need to upgrade flash )
Below are the most common config we use on our client's ASAs
old config:
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
New Config:
??
And what about Static PAT ?
old config:
static (inside,outside) 65.65.65.65.1 10.10.100.1 netmask 255.255.255.255
access-list aclout permit tcp any 65.65.65.1 eq 80
access-group aclout in int outside
New config:
?? so is static command completely removed in 8.3x ??
NAT Exempt (Nat ID 0)
old config:
nat (inside) 0 access-list nonat
New config:
?? Please advise ??
04-08-2012 08:49 AM
this could help you: https://supportforums.cisco.com/docs/DOC-9129
old config:
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
new config, manual dynamic nat:
nat (inside,outside) source dynamic any interface
OR auto dynamic nat:
object network obj-any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
same result - different commands.
old config (your example is not static pat, it's static nat):
static (inside,outside) 65.65.65.65.1 10.10.100.1 netmask 255.255.255.255
access-list aclout permit tcp any 65.65.65.1 eq 80
access-group aclout in int outside
new config, manual static nat (this is not pat, your example is NOT pat):
object network obj-65.65.65.1
host 65.65.65.1
object network obj-10.10.100.1
host 10.10.100.1
nat (inside,outside) source static obj-10.10.100.1 obj-65.65.65.1
access-list aclout permit tcp any 10.10.100.1 eq 80
access-group aclout in int outside
OR auto static nat (this is not pat):
object network obj-65.65.65.1
host 65.65.65.1
object network obj-10.10.100.1
host 10.10.100.1
nat (inside,outside) static obj-65.65.65.1
access-list aclout permit tcp any 10.10.100.1 eq 80
access-group aclout in int outside
If you were doing static pat, it would look like this:
new config, manual static nat (this is not pat, your example is NOT pat):
object service obj-port-80
port 80
object network obj-65.65.65.1
host 65.65.65.1
object network obj-10.10.100.1
host 10.10.100.1
nat (inside,outside) source static obj-10.10.100.1 obj-65.65.65.1
access-list aclout permit tcp any 10.10.100.1 eq 80
access-group aclout in int outside
OR auto static nat (this is not pat):
object network obj-65.65.65.1
host 65.65.65.1
object network obj-10.10.100.1
host 10.10.100.1
nat (inside,outside) static obj-65.65.65.1
access-list aclout permit tcp any 10.10.100.1 eq 80
access-group aclout in int outside
Yes, static and global commands are gone.
old config:
nat (inside) 0 access-list nonat
new config:
nat (inside,outside) source static any any destination static obj-VPN-POOL-10.0.254.0 obj-VPN-POOL-10.0.254.0 route-lookup
(route-lookup command is recommended)
In this example, any traffic from inside to 10.0.254.0/24 vpn pool, will not be natted.
04-08-2012 09:01 AM
Thanks a lot.. That helps a lot! Now I have about 70% covered already on the new code! Thanks to you!!
And you're right, that example was for static NAT. Sorry abou the Typo
Here is what I meant for static PAT with services
old config:
static(inside,outside) tcp interface ssh 10.10.100.1 ssh netmask 255.255.255.255
access-list aclout permit tcp any interface outside eq ssh
access-group aclout in int outside
New config:
??
04-08-2012 01:14 PM
Hi,
New config would be
Insert anything you want for the object name. Below name just to give an example on the purpose
object network SSH-PORTFORWARD
host 10.10.100.1
nat (inside,outside) static interface service tcp ssh ssh
access-list aclout permit tcp any object SSH-PORTFORWARD eq ssh
Small explanation on the commands used:
- Jouni
04-08-2012 01:31 PM
Also,
Regarding the original topic.
I do agree its was a bit depressing to start learning the new format. Personally I had just gotten the feeling that I could handle about every situation with the old NAT format (well atleast the ones we need to use) and then BAM! NAT totally rewritten.
Though it does get easier when you get some practice.
Fortunately I've had plenty of practice so far. I'm in the process of migrating around 300+ old FWSM Security Contexts to new ASA 5585-X platforms which give me alot of practice
I also migrated a single Failover pair with around 300 NAT rules. Plenty of all different kinds of NAT configurations. And worst of all... a load of policy NATs.
If you happen to have a ASA running in multiple context mode or just have a spare/backup ASA I suggest using them to your advantage to learn the NAT format. Personally I use either a spare ASA or one "dummy" security context on a production equipment to test NAT configurations out.
I was very happy that migrating from a FWSM running in multiple context mode to an ASA running in multiple context mode I was now able to use the "packet-tracer" command (not possible in FWSM) which helps alot with confirming that your NAT configurations are correct or that your new NAT configurations don't start overriding old ones.
- Jouni
04-08-2012 08:35 PM
Thanks Jouni. Wow you will be upgrading lot of ASAs just at the right time! And yes, I have an ASA at home that has site to site tunnel back to my office. I will be upgrading flash to 512mb (asa 5505) pretty soon so I can load the new code and try it out
Thanks for the Static PAT config.
Is there any change on NAT Exempt (NAT ID 0) configs ? We obviously use nat id 0 on site to site vpn/remote ipsec/ssl vpns and wondering if nat 0 config has changed
old config
access-list example-split permit ip 10.10.100.0 255.255.255.0 172.16.100.0 255.255.255.0 (172.16.100.0 = vpn pool)
access-list nonat permit ip 10.10.100.0 255.255.255.0 172.16.100.0 255.255.255.0
nat (inside) 0 access-list nonat
New config:
Any Changes ?
04-09-2012 12:13 PM
Is there any change on NAT Exempt (NAT ID 0) configs ? We obviously use nat id 0 on site to site vpn/remote ipsec/ssl vpns and wondering if nat 0 config has changed
old config
access-list example-split permit ip 10.10.100.0 255.255.255.0 172.16.100.0 255.255.255.0 (172.16.100.0 = vpn pool)
access-list nonat permit ip 10.10.100.0 255.255.255.0 172.16.100.0 255.255.255.0
nat (inside) 0 access-list nonat
New config:
Any Changes ?
04-09-2012 12:56 PM
Hi,
NAT0 configuration dont quite look the same when changing from 8.2 to 8.3 or 8.4
You NAT0 configurations for VPN pool might look something like this
object network VPN-POOL
subnet 172.16.100.0 255.255.255.0
object network LAN
subnet 10.10.100.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
The above basically does the following
Please rate helpfull posts
- Jouni
04-09-2012 01:29 PM
I am stumped on the NAT 0.. Will have to look at it first thing in the morning when I am not tired!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: