On our series of articles about ASA NAT, we mentioned that version 8.3 introduced a complete new model for address translation. The main characteristics associated with this new philosophy are summarized in the following:
- NAT is not mandatory anymore (as opposed to the nat-control model).
- NAT table is organized in 03 distinct sections: one for auto-NAT and two for manual NAT (or twice NAT).
- Translation rules that involve source and destination simultaneously are now defined in a single nat statement (using a manual NAT rule). These are the cases of Dual NAT and all the variants of Policy NAT.
- Starting on version 8.3, the Access Control Entries (ACEs) refer to the Real IP Address of the host and not to the translated address.
The figure brings a practical example of an ASA Unified NAT Table that contains rules in each of the three sections. Remember that:
- Object NAT Rules are inserted into section 2
- By default, manual NAT rules are created within section 1. If you want to insert a nat statement into section 3 you will need to use the after-auto parameter.
- The sections in the NAT table are processed in order.
** Topics for Study:
- By reviewing previous posts on the NAT Series, can you build the translation rules that originated the table shown in the figure ?
- nat command (complete syntax options for the object NAT configuration) http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/no.html#wp1778544
- nat command (complete syntax options for manual NAT) http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/no.html#wp1792563
** Related Posts:
Nicely summarized! And the way you write is amazing. Short and sweet. 🙂
I just blogged about the same topic recently. 😀 (I’m in the initial phase of blogging so there still a long way to go)