Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
269
Views
0
Helpful
1
Replies

Agree or disagree the New NAT model in ASA?

ekonishijunior
Level 1
Level 1

‎02-26-2013 06:17 AM - last edited on ‎03-25-2019 05:50 PM by Community Manager

I know that we´ll survive after this change, but what you first impression about this new model?

In my opinion, more disadvantages than advantages.

Advantages:

  • permit positioning nat with "line" option

Disadvantages:

  • get information about nat increase more steps
  • increase difficult in troubleshooting

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎02-26-2013 06:36 AM

Hi,

I was first against the NAT change and there are still things that are not etched in my memory.

I do agree with all the points you made.

I dont personally like the amount of configurations some NAT configurations generate. Its also alot more things involved to determine a simple Static NAT configuration or any other NAT for that matter (all to some degree ofcourse depends on how you have built your configuration)

I do find though that the new NAT format gives some possibilities to play around with how traffic is forwarded. This either wasnt available with the older softwares or I just even tried it back then. Reading these forums and testing out peoples NAT setups has introduced myself to some pretty special looking implementations and that is always chance to learn something new and perhaps implement them in your own configurations.

Now after several months of configuring the new (post 8.3 software) NAT configuration I have become quite used to them. Though it naturally helps when I have to migrate around 200-250 firewalls from 8.2 to the newer softwares It kinda sticks on you eventually

I think the key is to testing out the NAT setup by yourself and not blindly trusting the ASA to do it for you (if you are letting the ASA migrate the configuration) There is also usually minor ways to optimize the NAT configuration and make it easier to read. Key is to plan ahead and for example come up with a good naming policy on the ASA intefaces and object/object-group names.

Some of my tips regarding NAT would be

  • Plan a good naming policy for both "nameif" and "object" and "object-group"
    • I prefer using IP addresses and naming the objects in CAPS as all ASA parameters are written with small letters in the CLI configuration. This makes the configuration easier to read.
  • Use the 3 Sections for NAT to group your NAT configurations
    • Section 1 for the special "Policy NAT" and "NAT0" type configurations
    • Section 2 for the Static NAT and Static PAT
    • Section 3 for all your default NAT and PAT rules where the traffic should hit as the last resort
  • Dont use "any" keyword/parameter with your NAT configuration if possible. This can cause some problems in the long run

MIght add something more but those are the ones that come to mind fast.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card