If you have worked with a stateful firewall (even other vendors's products), you are probably familiar with the construction logic of ACLs and it's not that difficult to move from a certain model to another. Network Address Translation (NAT) philosophy, on the other hand, is normally much more product-specific.
I will not start here those discussions about whether or not NAT is a security feature because, irrespectively of our opinions on the topic, NAT is frequently employed on most security deployments as a companion feature (that plays an important role, at least regarding connectivity).
The NAT model has significantly changed throughout the history of the Cisco Adaptive Security Algorithm (ASA) software, as summarized below:
Before release 7.0 (PIX product line) the only available option was the ”nat-control” model. When this model is in place, you are supposed to provide an explicit answer regarding the use of NAT (even when you do not want the firewall to perform address translation).
From 7.0 to 8.2, the default operation mode is no nat-control, meaning that NAT is not mandatory anymore. If the intention is to restore the pre-7.0 behavior, you can still issue the nat-control command.
Starting on ASA 8.3 release the NAT model was completely redesigned and, for instance, there is no concept of nat-control anymore. Among the good news, though, are the facts that the new syntax is more similar to other vendors' implementation and that you can more easily handle the concurrent translation of source and destination addresses (Dual NAT). Moreover, you now have much more control regarding the order in which translation rules are processed.
Having read this quick post, you might be asking:
- Why worry about the new model ?
The answer is simple: if you are using a pre-8.3 ASA release and need new features that were added on 8.3 (or later), you will need to understand the newest NAT model (and convert the rules accordingly). There is no way of migrating to 8.3 or higher and keep using the legacy syntax.
To help you handle this important aspect of ASA deployment, I produced the series of quick articles shown below. Good Reading !
I am using Nexus 7710 switches on multiple networks and have updated the firmware on a some of the hardware already. The system file is n7700-s2-dk220.127.116.11.D1.1.bin & n7700-s2-kickstart.7.3.4.D1.1.bin is the kickstart file. I was recently informed the ...
Hi ,I am trying to do a wireless posture system scan via Anyconnect everything is configured as per the document, I got the redirect page and it downloads and installs the Anyconnect software but after installation, it doesn't start the system scan.In the...
I've found a couple articles online talking about removing a Cisco folder from c:\temp\and from %localappdata%\temp\The folder does not exist in either location.Creating a folder there doesn't help either. The error suggests contacting the system adm...
Our company will be installing two new Firepower 2120's to replace our 5512-x's. We have AnyConnect 4.x and will be converting to the new Smart Licensing. During this process, we would like to test the AnyConnect on the new Firewalls before ta...
From packet capture on ISE, I can see meraki switch sends in the radius packet access-request the machine name host/<machine-name>as User-Name attribute and calling-station-id matches the endpoint mac address but in ISE I see 2 logs:1st log says:Eve...