05-08-2012 06:12 AM - edited 03-11-2019 04:03 PM
Hi all,
Over the last couple days I've been experimenting with the new NAT config with version 8.4(2), and I've got a couple questions.
For example:
My production ASA is running on version 8.2(3) and has the following config:
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) tcp interface 3390 192.168.0.2 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 192.168.0.3 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 80 192.168.0.1 80 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.0.1 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 443 192.168.0.1 443 netmask 255.255.255.255
etc
To get the same result on the newer 8.4 version, I now have to use the following config:
object network 192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network 192.168.0.2-01
host 192.168.0.2
object network 192.168.0.3-01
host 192.168.0.3
object network 192.168.0.1-01
host 192.168.0.1
object network 192.168.0.1-02
host 192.168.0.1
object network 192.168.0.1-03
host 192.168.0.1
object network 192.168.0.1-04
host 192.168.0.1
!
object network 192.168.0.0
nat (inside,outside) dynamic interface
object network 192.168.0.2-01
nat (inside,outside) static interface service tcp 3390 3389
object network 192.168.0.3-01
nat (inside,outside) static interface service tcp 3391 3389
object network 192.168.0.1-01
nat (inside,outside) static interface service tcp 3389 3389
object network 192.168.0.1-02
nat (inside,outside) static interface service tcp 80 80
object network 192.168.0.1-03
nat (inside,outside) static interface service tcp 8080 8080
object network 192.168.0.1-04
nat (inside,outside) static interface service tcp 443 443
etc
So instead of 8 lines of configuration, I'm already over 30 lines right?
Questions:
Is this the right way of configuring?
If not, what is the right way?
If so:
Why is Cisco making it this complicated?
What are the benefits of this new way of configuring?
Tnx in advance!
Kind regards,
Niels.
Solved! Go to Solution.
05-08-2012 09:29 AM
Hi Niels,
The config for 8.4 is correct, yes it would create those lines. The 8.4 nat is object based nats, in which you create object networks for the hosts and subnets, which you want to nat. The 8.2 nat used to be a bit syntax based nat commands, but I find 8.4 purely logical nat statements rather than syntactical.
Moreover the concept of nat-control has been deprecated, so your nats dont purely depend upon security levels.
Few more things tat I find good is:
The access-list contains the post natted IP's for the servers o machines that you want to access, which means, if you somehow have to chnage the natted or public ip for a server, you dont need to change the ACL's, you just need to make change in the object network for that IP.
You were not able to translate both the source and the destination in one sinle nat statement, now post 8.3, you can do that simply, so it saves you the config lines there.
Here is a doc taht might be helpful:
https://supportforums.cisco.com/docs/DOC-9129#comment-3934
Thanks,
Varun
05-08-2012 09:39 AM
Niels,
Yes and no, well basically you pass from this:
static (inside,outside) tcp interface 3390 192.168.0.2 3389 netmask 255.255.255.255
To this:
object network 192.168.0.2-01
host 192.168.0.2
nat (inside,outside) static interface service tcp 3390 3389
So from 1 line you go to 3. Well, while it does makes the configuration a bit larger, there are many advantages such as the Nat sections, where you can accomodate the Nats in the order that you want, the order of operation in 8.2 was somewhat complicated for the users to understand and if they wanted to change or move static translations, they had to remove lines, re add them and sometimes it caused networks to go down.
On the other hand, once you have the objects created, you can allocate your NAT configurations and re-used them any time you want and so on.
At first, I didnt quite like it, but once you get use to it, is easier to troubleshoot when a problem comes up.
Mike
05-08-2012 09:29 AM
Hi Niels,
The config for 8.4 is correct, yes it would create those lines. The 8.4 nat is object based nats, in which you create object networks for the hosts and subnets, which you want to nat. The 8.2 nat used to be a bit syntax based nat commands, but I find 8.4 purely logical nat statements rather than syntactical.
Moreover the concept of nat-control has been deprecated, so your nats dont purely depend upon security levels.
Few more things tat I find good is:
The access-list contains the post natted IP's for the servers o machines that you want to access, which means, if you somehow have to chnage the natted or public ip for a server, you dont need to change the ACL's, you just need to make change in the object network for that IP.
You were not able to translate both the source and the destination in one sinle nat statement, now post 8.3, you can do that simply, so it saves you the config lines there.
Here is a doc taht might be helpful:
https://supportforums.cisco.com/docs/DOC-9129#comment-3934
Thanks,
Varun
05-08-2012 09:39 AM
Niels,
Yes and no, well basically you pass from this:
static (inside,outside) tcp interface 3390 192.168.0.2 3389 netmask 255.255.255.255
To this:
object network 192.168.0.2-01
host 192.168.0.2
nat (inside,outside) static interface service tcp 3390 3389
So from 1 line you go to 3. Well, while it does makes the configuration a bit larger, there are many advantages such as the Nat sections, where you can accomodate the Nats in the order that you want, the order of operation in 8.2 was somewhat complicated for the users to understand and if they wanted to change or move static translations, they had to remove lines, re add them and sometimes it caused networks to go down.
On the other hand, once you have the objects created, you can allocate your NAT configurations and re-used them any time you want and so on.
At first, I didnt quite like it, but once you get use to it, is easier to troubleshoot when a problem comes up.
Mike
06-15-2012 05:54 AM
Hi all,
I've been experimenting with 8.4.x and it have to say it does have some advantages.
So I think we are going to use in our customers' firewalls.
Tnx for the replies guys!
Kind regards,
Niels.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide