Wednesday, July 21, 2010

ASA 8.3 part 1 - NAT

In the meantime Cisco published ASA 8.3 migration guide:
Please refer to it for all NAT migration questions, otherwise do go on, there's some info compiled below :-)

Please be aware of following bugs (once I stumbled upon):
- NAT RPF failure in ASA 8.3
- Access-list migration based on NAT config.
- "Unidirectional" keyword added:
If any of the above links doesn't work go  to bugtoolkit directly:

Recently I found quite a few discussion on supportforums regarding ASA 8.3 and related changes.

While majority of changes are good and much anticipated (ACL, webvpn - which I will try to give highlights at some other day) some changes are confusing at best especially for people who already knew NAT that came from PIX - or everything on ASA prior to 8.3.1 release.

In this post I do not intend to re-write configuration guide, it's there and it has ALL the information you might need, I intend to show how you CAN (and believe me there are multiple ways) how one can translate old PIX/ASA NAT CLI to ASA 8.3. That being said don't take my words for granted and have a look at configuration guide:

Let's take a look at changes having in mind old order of NAT operation.
1) Nat exemption (this is NOT the only way to do it, but one that will give you least trouble)

Regarding this one ... you might be careful to check  CSCth72642 and some other bugs.
You might need to add reverse rule! 
ie. nat (out,in) sour  sta REMOTE REMOTE dest sta LOCAL LOCAL

Old Syntax:
access-list NAT0 permit ip
nat (inside_interface) 0 access-list NAT0

New syntax:
object network MY_NETWORK

object network FOREIGN_NETWORK
nat (inside_interface,any) source static MY_NETWORK MY_NETWORK destination static FOREIGN_NETWORK FOREIGN_NETWORK

Another example, we're assuming:
- "inside" is the inside interface
- is local subnet
- is subnet for our remote location (or remote access VPN clients - SSL/IPsec ..)

Old syntax:
access-list NAT0 permit ip
nat (inside) 0 access-l NAT0

New syntac:
object network HOME

object network REMOTE

nat (inside,outside) source static HOME HOME destination static REMOTE REMOTE
It's not exempting anything from NAT but it's making sure there's a static translation when HOME is going REMOTE , for both HOME and REMOTE.

2) Static

Old syntax
static (inside_interface,outside_interface) netmask

New syntax:
object network INTERNAL_IP1
nat (inside_interface,outside_interface) static

Old syntax:
static (inside_interface,outside_interface) udp 1611 161 netmask

New syntax:
object network INTERNAL_IP2
nat (inside_interface,outside_interface) static service udp 161 1611

3. NAT
Old syntax:
nat (inside_interface) 1
global (outside_interface) 1

New syntax: object network MY_SUBNET
nat (inside_interface,outside_interface) dynamic
However consider, instead, adding a rule similar to this:
nat (any,outside) after-auto source dynamic any interface
Translate everything ELSE to interface via PAT.

Here's order of operation for NAT on 8.3
if you check it's NOT that much different comparing to older ones.

So what's the big benefit of 8.3 NAT:
- "any" keyword in NAT (any source, any interface )
- A few new thing are available now man-to-few translations ... possibly nothing ground breaking.

- not readable via CLI - everything is an object. ASDM oriented. ("show nat" command DOES help A LOT)
- expanded ("exploding") configuration listing.
- lack of ACL support in NAT rules.
- no additional option on NAT rules (norandom, maximum connection count for example), need to use MPF.

There's of course more to NAT on ASA 8.3 in comparison - and I can post more examples if someone is interested.

The above worked on my ASA connected to the lab without REQUIRED memory upgrade.

18th Aug 2010 - Added some ASA 8.3 NAT bugs and link to Cisco's ASA migration.

No comments: