Where’s my Static ? A basic example of the NAT model introduced in Cisco ASA 8.3

[“Most of the change we think we see in life is due to truths being in and out of favour“. – Robert Frost]

Yes… we know that. Adapting to change is frequently a challenge. If you invested time and effort to learn a certain way of getting stuff to work, it is not that easy to accept newer forms of accomplishing something similar (at least when you first see it).

Despite the reasons presented to justify the new Network Address Translation (NAT) model introduced by version 8.3 of the ASA software, many people will think (and say): “just bring back my static !” I understand that particular perspective but the key fact to be aware of is that getting familiar with the new philosophy is vital to enable your organization to migrate to 8.3 and beyond (and profit from the most recent feature developments…)

While the previous article, “NAT Evolution within Cisco ASA software“, covered the main differences between the three generations of the NAT functionality for ASA, the current post has a simpler objective: to present a basic example of Static NAT, with the two possibles syntaxes (pre and post-8.3). The topology and related commands to illustrate that are summarized in the figure below.

Implementing Static NAT on ASA: pre and post 8.3

If you look carefully at the output of  show nat command, you will be able to notice that the translation just configured generated a rule at Section 2 of the Unified NAT Table (an instance of the so called Auto NAT or Object NAT). Some relevant comments about this type of arrangement follow:

  • The real address is part of a network object definition. This object can be later employed in other sections of the configuration, such as in an Access Control Entry (ACE) or under an object-group definition.
  • The mapped address is created by using a nat statement as a parameter of the network object (previously used for the real address).
  • A given Object NAT rule can be employed to translate either the source or the destination address of a packet but not both at the same time. If you need to deal with more complex requirements (Policy NAT or Dual NAT, for instance), Twice NAT will be the adequate choice.

It is really advisable that you compare the old and modern ways of defining static NAT. It is also a good idea to start planning the conversion of the configurations in your specific environment. Future posts will illustrate more situations (dynamic PAT, Policy NAT and dual NAT are planned topics). Stay tuned !

** Topics for Study:

** Related Posts:


Filed under English, Firewalls, Security

2 responses to “Where’s my Static ? A basic example of the NAT model introduced in Cisco ASA 8.3

  1. This makes sense now. 😀 And its somewhat similar to Checkpoint where you have the option to define a NAT rule while creating a new host object. I recently got the 8.4 code to be able to use on GNS3. Gonna try different type of NATs soon! 🙂

    • Hi Shoaib,
      You are right ! The new model (starting on 8.3) is more similar to other vendors’, thus facilitating migration to ASA.
      Another important change on that direction was the introduction of global ACLs in 8.3. Now you can use global ACLs
      and still refer to (the classic) interface ACLs if you need to build access rules that apply only to traffic arriving on
      a given interface.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s