[ “What is actual is actual only for one time. And only for one place.” – T. S. Elliot ]
As a follow on to our analysis of ASA NAT, the current post examines another important use case scenario: how to simultaneously translate source and destination addresses on a certain connection through your firewall ? As usual, both the pre-8.3 and post-8.3 configurations are covered so that you can use them to help on your migration tasks (in case your are still using 8.2 or earlier releases).
One remarkable difference between the old and new syntaxes resides in the fact that from 8.3 on you just need a single nat statement to produce the dual NAT effect. This is an improvement with reference to the classic model, which required two rules (for instance two static commands) to achieve the same result.
Some other key advantages of the model introduced by ASA 8.3 are listed below:
- When using manual NAT, the use of the sequence number (SEQ#) parameter enables the precise control of the order in which translation rules are inserted in the Unified NAT Table. This renders NAT processing much more predictable than the original implementation.
- The capability of specifying source and destination mappings at once, makes ASA NAT logic more similar to other vendors’, thus facilitating migration from competitive offerings.
** Topics for Study:
- nat command (complete syntax options for manual NAT) http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/no.html#wp1792563
- static command (available up to release 8.2)http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1512466
- By combining the knowledge acquired in the current example with previous articles, can you devise a way of performing Dynamic PAT in the outbound direction and static NAT for inbound ? Specifically, suppose that stations on the 10.10.10.64/26 subnet should be port address translated to 172.16.16.126 when connecting to the outside world, whereas the host 172.16.16.254 should be accessible to dmz hosts as 10.10.10.254.
- It is very important that you get familiar with the order in which the real and mapped addresses are defined in the nat and static commands.
- Remember that starting on 8.3, ASA ACLs refer to the real IP of the destination host (as opposed to 8.2 and older versions, which use the translated IP).
- The ability to use global ACLs, introduced by version 8.3, is another factor that may decrease the efforts when migrating from other vendors’ firewalls to ASA.
- If you need a detailed coverage of the NAT precedence rules (very important on pre-8.3), please refer to Chapter 08 of the Cisco Firewalls title on the Cisco Press security collection. For information about 8.3 NAT, consult the Appendix, NAT and ACL changes in ASA 8.3, of the same book.
** Related Posts: