Daily Archives: March 29, 2012

An example of the Unified NAT Table on Cisco ASA

On our series of articles about ASA NAT, we mentioned that version 8.3 introduced a complete new model for address translation. The main characteristics associated with this new philosophy are summarized in the following:

  • NAT is not mandatory anymore (as opposed to the nat-control model).
  • NAT table is organized in 03 distinct sections: one for auto-NAT and two for manual NAT (or twice NAT).
  • Translation rules that involve source and destination simultaneously are now defined in a single nat statement (using a manual NAT rule). These are the cases of Dual NAT and all the variants of Policy NAT.
  • Starting on version 8.3, the Access Control Entries (ACEs) refer to the Real IP Address of the host and not to the translated address.

The figure brings a practical example of an ASA Unified NAT Table that contains rules in each of the three sections. Remember that:

  • Object NAT Rules are inserted into section 2
  • By default, manual NAT rules are created within section 1. If you want to insert a nat statement into section 3 you will need to use the after-auto parameter.
  • The sections in the NAT table are processed in order.

An example of the ASA Unified NAT Table

** Topics for Study:

** Related Posts:

Advertisements

1 Comment

Filed under English, Firewalls, Security