[ “There is nothing permanent except change” – Heraclitus ]
Given that Network Address Translation (NAT) is a baseline functionality on most firewall implementations, it is really critical to understand NAT behavior (on your particular release) before you start configuring access control rules. To help you in this task, the current post briefly reviews how the NAT philosophy has changed through the history of Cisco Adaptive Security Algorithm (ASA) software.
- Before release 7.0 (PIX product line) the only available option was the “nat-control” model. When this model is in place, you are supposed to provide an explicit answer regarding the use of NAT (even when you do not want the firewall to perform address translation).
- From 7.0 to 8.2, the default operation mode is no nat-control, meaning that NAT is not mandatory anymore. If the intention is to restore the pre-7.0 behavior, you can still issue the nat-control command.
- Starting on ASA 8.3 release the NAT model was completely redesigned. The most significant changes are listed below:
- There is no concept of nat-control anymore. NAT is simply an optional feature.
- 8.3 and newer releases employ a brand new NAT syntax.
- NAT table is now divided in 03 sections, thus allowing a better control of NAT precedence rules. These 03 sections (and their main characteristics) are illustrated in the figure.
- Dual NAT rules (those that translate both source and destination simultaneously) are now defined as a single statement.
- When NAT is in place, Access Control Entries (ACEs) refer to the Real Address (as opposed to previous models which considered the translated address). This is a very important difference to be aware of before you migrate to 8.3 and beyond.
It is important to emphasize that if you are using a pre-8.3 ASA release, and need new features that were added on 8.3 (or later), you will need to understand the newest NAT model (and convert the rules accordingly). On the other hand, if you have a brand new appliance, it is advisable to start with 8.3 (or 8.4) so that you avoid migrating NAT rules later…
More posts on this topic, presenting practical configuration (and conversion) examples, will come soon. Stay tuned !
** Related Posts: