ASA 8.3/8.4 NAT - Is it required configuration?

JOSH GANT · ‎06-13-2011

I have a pre-8.3 firewall configuration I am converting to 8.4. The original configuration had "nat 0" covering all packets that traversed it.

Can I just assign routes and acls to this configuration and expect that the traffic will traverse the ASA or is it REQUIRED that I create fake NATs? Would this work:

object network EVERYTHING

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) static EVERYTHING EVERYTHING destination static EVERYTHING EVERYTHING

There are a million (not really) "nat 0" statements in this ASA and in reality it simply isn't NATing anything. Help me simplify my 8.4 config.

- Josh

Shrikant Sundaresh · ‎06-13-2011

Hi Josh,

You can ignore the "nat 0" statements as long as no other conflicting NAT rules are configured.

Example: if you have interface PAT configured; and "nat 0" was used for VPN traffic, then those "nat 0" rules will still need to be configured, for VPN to work.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

JOSH GANT · ‎06-13-2011

Do I need to define the (fake) NAT I listed above in order for the 8.4 ASA to route or will it route by default without any NAT configuration?

This ASA is basically acting as a router with ACLs. No VPN and no NAT at all.

mile.ljepojevic · ‎06-13-2011

Then just do not configure NAT at all and you will be fine.

JOSH GANT · ‎06-13-2011

That was what I was looking for. The latest config guide is not clear on this however.

mile.ljepojevic · ‎06-13-2011

I should be able to try at tonight, but as I recall, if there is no nat configured, it will not be done automaticaly.

Let me run in through our lab, and I will let you know.

Jouni Forss · ‎06-14-2011

Hi,

While we on the subject I would like to ask a question about a similiar situation regarding 8.3 -> NAT configurations.

One customer has a Failover pair ASAs protecting the whole network and also has a failover pair of ASAs protecting a separate part of their network (Behind the first failover pair).

The second failover pair doesnt require NAT for traffic between its outside and inside interfaces.

Now if we would consider the following change to the situation:

We do 1:1 static NAT on the main firewalls towards the outside address of the other primary ASA handling the separate part of the inside network. After this we configure simple VPN Client to the Failover ASA pair separating the inside network.

Will that setup still require a NAT configuration for the VPN Client pool even though the ASA can see the VPN pool network while hosts are connected in its routing table just like any of the other networks that are routed manually from the ASA itself?

If it does require some form of NAT0/NONAT/NAT Exempt for the VPN pool, why is this? (Basicly I've been told this is the case even though I havent had the chance to test it yet myself) Whats the difference with the staticly routed networks and the VPN pool network the ASA sees while the some VPN users is connected?

This has been one thing on my mind as I'm getting used to the new NAT configuration format.

- Jouni

praprama · ‎06-29-2011

Hi Jouni,

Not sure if you have found your answer to this. Based on your description, i understand you have 2 sets of ASAs like below:

LAN------ASA1-----------ASA2-------------Internet-------------VPN clients

Assume ASA1 and ASA2 represent the 2 failover pairs you are referring to.

You are going to configure a 1:1 static NAT on ASA2 for ASA1's outside interface address while on ASA1, there is going to be no NAT at all. If the above is the case, then there is no need for any kind of NAT exemption on ASA1 or on ASA2 for the VPN client pool.

Hope this helps!

Regards,

Prapanch