NAT Evolution within Cisco ASA Software

[ “There is nothing permanent except change” – Heraclitus ]

Given that Network Address Translation (NAT) is a baseline functionality on most firewall implementations, it is really critical to understand NAT behavior (on your particular release) before you start configuring access control rules. To help you in this task, the current post briefly reviews how the NAT philosophy has changed through the history of Cisco Adaptive Security Algorithm (ASA) software.

  1. Before release 7.0 (PIX product line) the only available option was the “nat-control” model. When this model is in place, you are supposed to provide an explicit answer regarding the use of NAT (even when you do not want the firewall to perform address translation).
  2. From 7.0 to 8.2, the default operation mode is no nat-control, meaning that NAT  is not mandatory anymore. If the intention is to restore the pre-7.0 behavior, you can still issue the nat-control command.
  3. Starting on ASA 8.3 release the NAT model was completely redesigned. The most significant changes are listed below:
  • There is no concept of nat-control anymore. NAT is simply an optional feature.
  • 8.3 and newer releases employ a brand new NAT syntax.
  • NAT table is now divided in 03 sections, thus allowing a better control of NAT precedence rules. These 03 sections (and their main characteristics) are illustrated in the figure.
  • Dual NAT rules (those that translate both source and destination simultaneously) are now defined as a single statement.
  • When NAT is in place, Access Control Entries (ACEs) refer to the Real Address (as opposed to previous models which considered the translated address). This is a very important difference to be aware of before you migrate to 8.3 and beyond.

The Unified NAT table introduced by ASA 8.3

It is important to emphasize that if you are using a pre-8.3 ASA release, and need new features that were added on 8.3 (or later), you will need to understand the newest NAT model (and convert the rules accordingly). On the other hand, if you have a brand new appliance, it is advisable to start with 8.3 (or 8.4) so that you avoid migrating NAT rules later…

More posts on this topic, presenting practical configuration (and conversion) examples, will come soon. Stay tuned !

** Related Posts:

4 Comments

Filed under English, Firewalls, Security

4 responses to “NAT Evolution within Cisco ASA Software

  1. Nice! Looking forward to more posts on this subject. In our organization we’re upgrading from 8.2 to 8.4(2) on more than 100 ASAs in HA. At the moment I’m not finding the new NAT statements that user-friendly.😀 Anyway, will get used to it eventually.

    • Hi Shoaib,
      The first important thing is to understand the sections in the Unified NAT table. I will provide a series of examples
      covering the various categories of translation (static, dynamic, policy NAT, etc). My basic idea is to build simple scenarios
      (that you can reproduce) contrasting the two forms of getting the job done (pre and post8-3).

      Hope it helps,
      Alexandre

  2. Would love to have that kind of a comparison. Can always refer it when required.🙂

    • Hi Shoaib,
      I’ll do my best to provide useful information here. Please refer to https://alexandremspmoraes.wordpress.com/tag/nat/ for more posts pertaining to NAT.
      If you want to understand the various categories of NAT, their applications and the precedence rules that characterize the releases before 8.3, please consult Chapter 08 (Through ASA using NAT) of the Cisco Firewalls title.
      For extra information on the new ASA NAT model (post 8.3),my advice is to read the Appendix (NAT and ACL Changes in ASA 8.3) of the Cisco Firewalls book.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s