Argh. What software engineer working on ASA 8.3 decided that this was the best way to do this? How is a configuration directive to NAT an object back to its original IP address in any way more intuitive than a configuration directive to simply not NAT traffic clearly defined by an access list? It's ugly and confusing, so two thumbs down on this design decision.

In case its not clear to others upon glancing at this comment, I just want to point out that this comment seems to be directed at the design changes in general for nat in 8.3 as a whole rather than an assault against this particular documents explanation.

You are right, the explanation is fine... it's the design changes for NAT in 8.3 that are so bad I'm at a loss for words.

Just a correction here regarding the syntax ("source" keyword after "destination" is not required):

nat (inside,outside) 1 source static obj-local obj-local destination source static obj-remote obj-remote

Thanks for spotting the typo, I have corrected this.

As a 16 year firewall veteran in his 13th year of full time PIX/ASA support I can say without equivocation that this NAT change is about the most boneheaded move I've ever seen Cisco make.  If they're trying to kill ASA sales, it's a good step in the right direction.  One of our more cynical engineers says it's just a ploy to generate more training dollars. 

You can be sure that we are not sending 10 experienced ASA engineers to training just to learn the new NAT.  But we will spend the morning reverting to 8.2.

Kirby you old git, your stuck in your old ways. ;-) (BTW, this is a joke mate - there can't be many people who have honestly worked on F/Ws for 16 years, I take my hat off to you).

Have a play - it's not too bad, I'm sure in a while you will like it more than the old way.

I'm sure that the new ASA card for the 65ks will only have this type of code, so get to know it if you want to make it to 20 years in the game. :-)

You certainly got the old and gitty part right.  =)

Ya, I was surprised myself when I counted the # of years back to 1996.  Certainly don't want to do firewalls for 20 more years, but if the pay is right I guess...

Anyway, I've come to terms with the new syntax.  Turns out my biggest gripe was due to a bug that should get exorcised in the next point release, according to TAC anyway.  (apparently someone put "&&" in a an if..then instead of "||").  Still not real keen on trying to get my tech staff to remember two ways of doing it since it's hard enough to get them to do it the old way right anyway.  Maybe there's an opportunity in there for me or something.

Although the jury's still out on whether or not I like the change, I still stand by my opinion that such a change should have come in 9.0, not snuck into 8.3.  Oh well.

That's the spirit mate :-) I quite like some new changes brought into configs, it gets the old brain going and really seperates the men from the boys. Although it's a lot more code, I am sure if will have it's benifits as it seems more granular.

I agree with the numbering, it should have occuered in 9, but I'm sure that marketing was involved somewhere..

I'm so into the new nat that I've developed a little ditty that I sing to myself when performing configuration. If you want to join in, it's sung to RUN D.M.C King of Rock...

I'm the king of NAT, there is none higher

ASA 8.3 is what I desire
TAC Security show boys should call me sire
I won't stop NAT'in till I retire

Nat "King" Golly

:-)

I have gotta say this was a huge headache when I first saw it and tried to work on it (4 hours trying to do a site-to-site configuration that should have taken me 20 minutes!) but I actually like it better than the earlyer versions of IOS. It almost looks like an object orientated version of coding with the object groups and such. So in theory you only have to change the objects rather than the code binded to the objects in the access lists etc. I say stick to it and soon you will see that is is just as easy and just as logical as the earlyer versions. (Just a pain in the ass during the learning process) Oh and @Kirby, dont send your employees for training, its annoying to learn but there are tons of resources out there which I am sure you have seen most of so I say the training would be unnessasary

Thanks for all the feedback. I wanted to point out that this document was just made for a quick reference. I recommend also checking out this video presentation of the 8.3 NAT features which methodically explains this new feature (it may even work for some of your training purposes).

Please refer to "ASA Version 8.3 NAT Configuration By: Jay Johnston"

https://supportforums.cisco.com/videos/1078

Brilliant, love the song. You should record a video of yourself singing it and see if Cisco will post it!

Dave

I did offer to record it, but I couldn't come to a deal when Jay Johnson and David White did their "guest rap" half way through, they wanted $50k for 1/2 a day's work...

;-)

Removed - I upgraded to 8.3, and added the "no nat/nat 0" rule.

You should post this as a question in the forum rather than as feedback on this document.