Migrating to ASA 8.3, 8.4 or higher ? Don’t rely blindly on the automatic NAT migration script

As explained in a series of previous posts, it is indispensable to understand the NAT philosophy change introduced by ASA 8.3 in order to profit from the new features (available in 8.3 and higher). While the other articles focused on explaining the correspondence between the pre and post 8.3 models, the current one will demonstrate the automatic migration script in action when you upgrade ASA software on a 8.2 box that already contains NAT rules.

The Static Policy NAT and Static NAT configurations for the reference topology of Figure 1 are described below:

  • The dmz client 10.10.10.150 is mapped to 172.18.18.150 when the destination is  172.16.16.200.
  • For other out destinations, the same dmz client is statically translated to 172.16.16.150.

Figure 1: ASA NAT - Migration Example 1

If you carefully look at the figure, you will notice that the IP addresses used in the ACL and static rules of the 8.2-style configuration are converted to network objects, which are later employed within the nat statements that characterize 8.3.

Although the migration script may be helpful for simple topologies that contains few categories of NAT, it is really critical that you understand how to manually convert from the original model to the new one. There are situations, such as those registered in Figure 2, in which the script may not work. So do not rely blindly on it. I think it is really advisable to invest some time on getting familiar with building the manual correspondence.

Figure 2: Sample messages from the NAT automatic migration script

** Notes:

  • If you plan to use the automatic migration script, it is really recommended that you remove the nat-control command from your pre-8.3 configuration. This will avoid the creation of many network objects during the conversion process.
  • From 7.0 to 8.2 the default ASA operation mode is to consider NAT an optional feature. This is accomplished with the no nat-control command, which is not displayed in the show running-config listing. If you want to make sure that no nat-control is in place, issue the show running-config all nat-control command.

** Related Posts:

5 Comments

Filed under English, Firewalls, Security

5 responses to “Migrating to ASA 8.3, 8.4 or higher ? Don’t rely blindly on the automatic NAT migration script

  1. I have come across these warning messages. I did a “no nat-control” before upgrading the code but still got a dozens of NAT Exemption warning.
    But it has never impacted any production network. NAT Exemption is preferred over any kind of NAT, so if a source IP has a Static NAT and is also configured for NAT Exemption, it would work according to the NAT Exemption statement and the Static NAT would never be used, right?

    • Hi Shoaib,

      If you are using a pre-8.3 version, NAT Exemption (nat 0 access-list syntax) takes precedence over any other NAT category.
      Starting on 8.3, you don’t need to worry about that because nat-control is not in place anymore. As simple as that: if you explicitly define
      a translation rule, there will be NAT. For the hosts that do not fall under any translation rule, no NAT is the automatic choice.

      Hope this helps.
      Regards,
      Alexandre

  2. KK

    Hi
    I am planning an upgrade for 8.2 ASA to 8.4, I was going through numerous comments on the web, but not sure the correct process to handle this deployment.
    Please shed some light, I dont know much about NAT which everyone is talking about.

    Please help

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s