Showing results for 
Search instead for 
Did you mean: 

A series of posts on ASA NAT (before and after version 8.3)


If you have worked with a stateful firewall (even other vendors's products), you are probably familiar with the construction logic of ACLs and it's not that difficult to move from a certain model to another. Network Address Translation (NAT) philosophy, on the other hand, is normally much more product-specific.

I will not start here those discussions about whether or not NAT is a security feature because, irrespectively of our opinions on the topic, NAT is frequently employed on most security deployments as a companion feature (that plays an important role, at least regarding connectivity).

The NAT model has significantly changed throughout the history of the Cisco Adaptive Security Algorithm (ASA) software, as summarized below:

  • Before release 7.0 (PIX product line) the only available option was the ”nat-control” model. When this model is in place, you are supposed to provide an explicit answer regarding the use of NAT (even when you do not want the firewall to perform address translation).
  • From 7.0 to 8.2, the default operation mode is no nat-control, meaning that NAT is not mandatory anymore. If the intention is to restore the pre-7.0 behavior, you can still issue the nat-control command.
  • Starting on ASA 8.3 release the NAT model was completely redesigned and, for instance, there is no concept of nat-control anymore. Among the good news, though, are the facts that the new syntax is more similar to other vendors' implementation and that you can more easily handle the concurrent translation of source and destination addresses (Dual NAT). Moreover, you now have much more control regarding the order in which translation rules are processed.

Having read this quick post, you might be asking:

- Why worry about the new model ?

The answer is simple: if you are using a pre-8.3 ASA release and need new features that were added on 8.3 (or later), you will need to understand the newest NAT model (and convert the rules accordingly). There is no way of migrating to 8.3 or higher and keep using the legacy syntax.

To help you handle this important aspect of ASA deployment, I produced the series of quick articles shown below. Good Reading !

NAT Evolution within Cisco ASA Software

Where’s my Static ? A basic example of the NAT model introduced in Cisco ASA 8.3

Dynamic NAT on ASA: before and after release 8.3

Configuring Dynamic Policy PAT on ASA: current and legacy models

Handling dual NAT on ASA: concurrent translation of source and destination addresses

Dealing with Identity NAT on ASA: pre and post 8.3 configuration models

An example of the Unified NAT Table on Cisco ASA

Migrating to ASA 8.3, 8.4 or higher ? Don’t rely blindly on the automatic NAT migration script

The author's blog may be a source of useful information about Security and Networking topics:

* The new posts are announced on twitter: @alexandre_mspm