cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1038
Views
20
Helpful
10
Replies

8.3x--> I am so frustrated with this new code cisco released

Amit V
Level 1
Level 1

8.3x--> I am so frustrated with this new code cisco released

NATs are becomign more and more painful in 8.3x release and I am affraid to upgrade our clients ASAs to this new code. NAT statements make absolutely no sense and troubleshooting is even harder now on the new code. My collegeu spent two hours troulbehsooting mail server nat config just the other day on a client ASA that was running 8.3x code.. Am I the only one complaining about this new code ?

10 Replies 10

Roman Rodichev
Level 7
Level 7

I was also frustrated in the beginning, but now it absolutely makes sense. It's a lot more powerful than it used to be, so I recommend learning it and getting used to it.

The first thing to remember is that there are now two sections: Manual-nat and Auto-nat. Manual goes first then goes auto. Manual entries can also be put after auto. Manual entries are ordered, auto entries are not.

The confusing part is that in a lot of cases the same result can be achieved with manual-nat command and with auto-nat command. I prefer manual nats as they are also one-liners. For example, the old nat (inside) 1 0 0 + global (outside) 1 interface can be achieved with manual nat:

nat (inside,outside) source dynamic any interface

or with auto nat:

object network obj-any

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

two different commands, same result, you choose which one you like.

Another example, static NAT using manual nat:

object network obj-EXTERNAL

host 5.5.5.5

object network obj-INTERNAL

host 10.0.0.1

!

nat (inside,outside) source static obj-INTERNAL obj-EXTERNAL

or with auto nat:

object network obj-EXTERNAL

host 5.5.5.5

object network obj-INTERNAL

host 10.0.0.1

nat (inside,outside) static obj-EXTERNAL

Two commands, same result. Well actually there are a few little differences but they have to do with the inspection engine, but in most situation you don't think about these things (I do in SIP deployments).

Also get used to "show nat" command, it shows you exactly what you have configured. Good output.

The other thing to get used is that you have to use internal IPs of real hosts in the outside ACLs. Before 8.3, you had to use external IPs for your mapped hosts.

Thanks for the quick tip roman

So how does PAT works  on the new code ? sorry  I haven't loaded new code on my lab asa yet (need to upgrade flash )

Below are the most common config we use on our client's ASAs

old config:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

New Config:

??

And what about Static PAT ?

old config:

static (inside,outside) 65.65.65.65.1 10.10.100.1 netmask 255.255.255.255

access-list aclout permit tcp any 65.65.65.1 eq 80

access-group aclout in int outside

New config:

?? so is static command completely removed in 8.3x ??

NAT Exempt (Nat ID 0)

old config:

nat (inside) 0 access-list nonat

New config:

?? Please advise ??

this could help you: https://supportforums.cisco.com/docs/DOC-9129

old config:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

new config, manual dynamic nat:

nat (inside,outside) source dynamic any interface

OR auto dynamic nat:

object network obj-any

  subnet 0.0.0.0 0.0.0.0

  nat (inside,outside) dynamic interface

same result - different commands.

old config (your example is not static pat, it's static nat):

static (inside,outside) 65.65.65.65.1 10.10.100.1 netmask 255.255.255.255

access-list aclout permit tcp any 65.65.65.1 eq 80

access-group aclout in int outside

new config, manual static nat (this is not pat, your example is NOT pat):

object network obj-65.65.65.1

  host 65.65.65.1

object network obj-10.10.100.1

  host 10.10.100.1

nat (inside,outside) source static obj-10.10.100.1 obj-65.65.65.1

access-list aclout permit tcp any 10.10.100.1 eq 80

access-group aclout in int outside

OR auto static nat (this is not pat):

object network obj-65.65.65.1

  host 65.65.65.1

object network obj-10.10.100.1

  host 10.10.100.1

  nat (inside,outside) static obj-65.65.65.1

access-list aclout permit tcp any 10.10.100.1 eq 80

access-group aclout in int outside

If you were doing static pat, it would look like this:

new config, manual static nat (this is not pat, your example is NOT pat):

object service obj-port-80

  port 80

object network obj-65.65.65.1

  host 65.65.65.1

object network obj-10.10.100.1

  host 10.10.100.1

nat (inside,outside) source static obj-10.10.100.1 obj-65.65.65.1

access-list aclout permit tcp any 10.10.100.1 eq 80

access-group aclout in int outside

OR auto static nat (this is not pat):

object network obj-65.65.65.1

  host 65.65.65.1

object network obj-10.10.100.1

  host 10.10.100.1

  nat (inside,outside) static obj-65.65.65.1

access-list aclout permit tcp any 10.10.100.1 eq 80

access-group aclout in int outside

Yes, static and global commands are gone.

old config:

nat (inside) 0 access-list nonat

new config:

nat (inside,outside) source static any any destination static obj-VPN-POOL-10.0.254.0 obj-VPN-POOL-10.0.254.0 route-lookup

(route-lookup command is recommended)

In this example, any traffic from inside to 10.0.254.0/24 vpn pool, will not be natted.

Thanks a lot.. That helps a lot! Now I have about 70% covered already on the new code! Thanks to you!!

And you're right, that example was for static NAT. Sorry abou the Typo

Here is what I meant for static PAT with services

old config:

static(inside,outside) tcp interface ssh 10.10.100.1 ssh netmask 255.255.255.255

access-list aclout permit tcp any interface outside eq ssh

access-group aclout in int outside

New config:

??

Hi,

New config would be

Insert anything you want for the object name. Below name just to give an example on the purpose

object network SSH-PORTFORWARD

host 10.10.100.1

nat (inside,outside) static interface service tcp ssh ssh

access-list aclout permit tcp any object SSH-PORTFORWARD eq ssh

Small explanation on the commands used:

  • First line creates a new network object
  • Second line inserts a host address to the network object
  • Third line inserts a NAT statement that does a port forward for TCP/22/SSH from the destination/outside interface to the inside interface host 10.10.100.1
  • The last line opens traffic to the inside host using the network object we just created. This for example helps with a situation where you inside host changes to another IP address. If this should happen you can just go under the "object network " configuration and issue "host x.x.x.x" and it will replace the old one. And doing this you wont have to replace any of the ACL statements which you might have loads of.

- Jouni

Also,

Regarding the original topic.

I do agree its was a bit depressing to start learning the new format. Personally I had just gotten the feeling that I could handle about every situation with the old NAT format (well atleast the ones we need to use) and then BAM! NAT totally rewritten.

Though it does get easier when you get some practice.

Fortunately I've had plenty of practice so far. I'm in the process of migrating around 300+ old FWSM Security Contexts to new ASA 5585-X platforms which give me alot of practice

I also migrated a single Failover pair with around 300 NAT rules. Plenty of all different kinds of NAT configurations. And worst of all... a load of policy NATs.

If you happen to have a ASA running in multiple context mode or just have a spare/backup ASA I suggest using them to your advantage to learn the NAT format. Personally I use either a spare ASA or one "dummy" security context on a production equipment to test NAT configurations out.

I was very happy that migrating from a FWSM running in multiple context mode to an ASA running in multiple context mode I was now able to use the "packet-tracer" command (not possible in FWSM) which helps alot with confirming that your NAT configurations are correct or that your new NAT configurations don't start overriding old ones.

- Jouni

Thanks Jouni. Wow you will be upgrading lot of ASAs just at the right time! And yes, I have an ASA at home that has site to site tunnel back to my office. I will be upgrading flash to 512mb (asa 5505) pretty soon so I can load the new code and try it out

Thanks for the Static PAT config.

Is there any change on NAT Exempt (NAT ID 0) configs ? We obviously use nat id 0 on site to site vpn/remote ipsec/ssl vpns and wondering if nat 0 config has changed

old config

access-list example-split permit ip 10.10.100.0 255.255.255.0 172.16.100.0 255.255.255.0   (172.16.100.0 = vpn pool)

access-list nonat permit ip 10.10.100.0 255.255.255.0 172.16.100.0 255.255.255.0

nat (inside) 0 access-list nonat

New config:

Any Changes ?

Is there any change on NAT Exempt (NAT ID 0) configs ? We obviously  use nat id 0 on site to site vpn/remote ipsec/ssl vpns and wondering if  nat 0 config has changed

old config

access-list example-split permit ip 10.10.100.0 255.255.255.0 172.16.100.0 255.255.255.0   (172.16.100.0 = vpn pool)

access-list nonat permit ip 10.10.100.0 255.255.255.0 172.16.100.0 255.255.255.0

nat (inside) 0 access-list nonat

New config:

Any Changes ?

Hi,

NAT0 configuration dont quite look the same when changing from 8.2 to 8.3 or 8.4

You NAT0 configurations for VPN pool might look something like this

object network VPN-POOL

subnet 172.16.100.0 255.255.255.0

object network LAN

subnet 10.10.100.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

The above basically does the following

  • Creates 2 "object network" (not the same as "object-group") which contain the VPN Pool and LAN network
  • Creates a NAT0 type configuration between inside and outside interface.
  • First of all the NAT statement states that this is applied when traffic is between your LAN and VPN Pool.
  • It also tells that those networks stay UNCHANGED in the above mentioned traffic (Thats why both objects are inserted twice)

Please rate helpfull posts

- Jouni

I am stumped on the NAT 0.. Will have to look at it first thing in the morning when I am not tired!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: