Daily Archives: March 9, 2012

Migrating to ASA 8.3, 8.4 or higher ? Don’t rely blindly on the automatic NAT migration script

As explained in a series of previous posts, it is indispensable to understand the NAT philosophy change introduced by ASA 8.3 in order to profit from the new features (available in 8.3 and higher). While the other articles focused on explaining the correspondence between the pre and post 8.3 models, the current one will demonstrate the automatic migration script in action when you upgrade ASA software on a 8.2 box that already contains NAT rules.

The Static Policy NAT and Static NAT configurations for the reference topology of Figure 1 are described below:

  • The dmz client 10.10.10.150 is mapped to 172.18.18.150 when the destination is  172.16.16.200.
  • For other out destinations, the same dmz client is statically translated to 172.16.16.150.

Figure 1: ASA NAT - Migration Example 1

If you carefully look at the figure, you will notice that the IP addresses used in the ACL and static rules of the 8.2-style configuration are converted to network objects, which are later employed within the nat statements that characterize 8.3.

Although the migration script may be helpful for simple topologies that contains few categories of NAT, it is really critical that you understand how to manually convert from the original model to the new one. There are situations, such as those registered in Figure 2, in which the script may not work. So do not rely blindly on it. I think it is really advisable to invest some time on getting familiar with building the manual correspondence.

Figure 2: Sample messages from the NAT automatic migration script

** Notes:

  • If you plan to use the automatic migration script, it is really recommended that you remove the nat-control command from your pre-8.3 configuration. This will avoid the creation of many network objects during the conversion process.
  • From 7.0 to 8.2 the default ASA operation mode is to consider NAT an optional feature. This is accomplished with the no nat-control command, which is not displayed in the show running-config listing. If you want to make sure that no nat-control is in place, issue the show running-config all nat-control command.

** Related Posts:

5 Comments

Filed under English, Firewalls, Security