[“All appeared new, and strange at first, inexpressibly rare and delightful and beautiful. I was a little stranger, which at my entrance into the world was saluted and surrounded with innumerable joys.” – Thomas Traherne]
After reading the article “NAT Evolution within Cisco ASA software” and applying that knowledge to build static translations on ASA, it is now time to implement dynamic rules. As we did before, to make life easier on migration tasks, the two configuration modes (pre and post-8.3) are presented.
The figure below brings not only the old-style syntax but also the new options for a simple topology, in which the internal addresses belonging to the 10.10.10.128/25 subnet are translated to the range 172.16.16.129-172.16.16.254. In this arrangement, some facts deserve special mention:
- In the legacy CLI the number “2” is the NAT_ID, which is used to establish the link between the nat and global commands.
- For source-only translations, the nat statement (configured under the network object definition) automatically places the rule in Section 2 of the Unified NAT Table.
- Given that manual NAT allows the creation of rules that simultaneously specify translation of source and destination addresses, manual NAT can be “simplified” to create source-only (or destination-only) rules. In this case the rule will be part of Section 1 and there will be no reference to network object. Considering that the sections in the NAT table are sequentially processed, the equivalent construction with manual NAT takes precedence over Object NAT. (The exception is when you employ the after-auto parameter in the nat command, thus sending the manual rule to Section 3).
** Topics for Study:
- nat command (complete syntax options for the object NAT configuration) http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/no.html#wp1778544
- nat command (complete syntax options for manual NAT)http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/no.html#wp1792563
- Play with the “show running nat”, “show running object” and “show nat interface” commands
- Can you adapt the current example to configure Port Address Translation (PAT) ?
** Related Posts: