Feature to revert 8.3 NAT configuration to pre-8.3 syntax?

paulhignutt · ‎01-26-2011

I know I'm not alone in my distaste for the way that NAT configuration has changed in 8.3. And this doesn't come from a fear of change, as is so often the case with complaints like mine. It comes from the fact that now there is FAR more lines needed to complete a NAT configuration. To do the very same thing in the end, it takes more than double the configuration. With the only apparent "benefit" being the "real ip" is used everywhere in the configuration, it just does not seem worth the extra effort.

I realize that a course has been set, and therefore there is no turning back. But it sure would be nice to have a "feature" to allow those of us not interested in reinventing the wheel to revert the NAT syntax to what it was for the previous decade plus.

I doubt this will happen, but just wanted to share my agnst as someone who has worked with PIX/ASA for a very long time. And has built a career on basically this one device.

Thoughts?

mirober2 · ‎01-26-2011

Hi Paul,

There is an enhancement request filed, CSCte96293, that should help reduce the size and complexity of the 8.3 NAT configuration if/when it is implemented. The enhancement is requesting the ability to configure multiple NAT statements under a single object. Although the syntax won't change, it should significantly collapse the size of these configurations to bring them more in line with what a pre-8.3 configuration would have looked like.

Also, take a look at this post, which discusses some of the benefits the new 8.3 style brings:

https://supportforums.cisco.com/community/netpro/security/firewall/blog/2010/10/14/asa-version-83-nat--a-new-configuration-style-with-new-possibilities

Hope that helps.

-Mike

m.kafka · ‎01-27-2011

Hi Paul,

the first days on 8.3 were quite challenging for me but now I appreciate the capabilities of the new syntax even if the result is a bit longer. The expression "distaste" is a bit strong.

I don't fear GUIs and their help plus the possibility to gain complete control via the CLI for verification and trouble shooting is a great advance for me. I just started to use the ASDM with the introduction of 8.3 and I find it quite good now.

Thats a rather a philosophical issue than a technical.

After a quite big project I've learned to live with the new approach and find it more and more attractive - after 13 or 14 years of experince with PIX/ASA (I started with PIX version 4.1).

It's the first time we can configure NAT in an ordered list like ACLs - hooray in my opinion!

Changes can be sometimes good . Give Cisco a chance to improve and implement new concepts.

Rgds, MiKa

BTW @mirober2: I try to avoid the nat rules attached to objects, gives me a feeling of loosing a bit of control (that's so Checkpointish). I rather take the resulting longer config with all the implications like a little bit of scrolling and doing a little bit of "sh run | include [some filters]".