ASA 8.3 - loss of NAT flexibility?

Unanswered Question

Hello all,

I have a case open with the TAC already on this, but I thought I would throw this on the community forums (this is my first post) since there might be others experiencing a similar issue.

I've come to expect being able to translate the source of packets coming from the outside interface towards an inbound host. I've usually had to do that when migrating firewalls, for instance, when the internal host's default gateway was pointed somewhere else than the ASA from which the trafic was coming from. This would effectively hide the external/vpn/etc.. address, and replace it with, e.g. the ASA's inside interface IP. The following is sample code which would achieve this previously:

Remote IPSEC tunnel subnet:

Local server:

interface Ethernet0/0

nameif outside

security-level 0

ip address


interface Ethernet0/1

nameif inside

security-level 100

ip address

access-list outside_nat_outbound extended permit ip host

access-list inside_nat0_outbound extended permit ip any

global (outside) 1 interface

global (inside) 2 interface

nat (outside) 2 access-list outside_nat_outbound outside

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

static (inside,outside) tcp interface ftp-data ftp-data netmask

static (inside,outside) tcp interface ftp ftp netmask

This would effectively change the source of trafic from to to the inside interface IP: This config works wonderfully in 8.2, yet upgrading that config to 8.3 yields a broken configuration that doesn't end up changing the source address, and instead leaves it intact.

So far I've had no workaround from the TAC. Either the new NAT engine results in some loss of flexibility, or I can't wrap my head around the solution.

I've already heard "why are you doing this" and "you should instead fix the routing problem". Fact is: this works in 8.2, and so far it doesnt in 8.3. I'm looking for a straight answer whether or not 8.3 simply won't support this configuration any longer.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dhananjoy chowdhury Fri, 03/26/2010 - 07:21
User Badges:
  • Silver, 250 points or more


In 8.3, NAT commands have changed. Check whether all the 8.2 nat configs have been migrated in the 8.3 config.

Here are some limitations of migration to 8.3

- Dynamic identity NAT (the nat 0 command) will not be migrated.

- The dns option in static PAT and policy NAT commands will be ignored.

- Connection Settings in old NAT commands—Options such as conn-max, emb-limit, norandomseq, or nailed will be moved to service policies.

For detailed information on the changed NAT commands,check this link

holzerb Fri, 07/23/2010 - 10:54
User Badges:

I've had to do the exact same thing... when someone installs a remote machine and makes a typo in the default gateway.  Without hands-on, this is a way to gain remote access to the machine to correct the typo (then take out the nat commands, in my case).

Here's my take on getting the inbound traffic translated:

object network obj-


object network obj-


nat (any,inside) source dynamic obj- interface dest static obj- obj-

But I will say I hate the new 8.3 code and have little experience with it.  Let us know what you get to work...
August Ritchie Fri, 07/23/2010 - 12:30
User Badges:
  • Bronze, 100 points or more

I was looking over this page, and think that it may have the solution.

object service ftpPorts

   service tcp destination range ftp-data ftp

object network obj-


   nat (inside,outside) static interface service tcp  ftpPorts  ftpPorts

object network obj-


nat (outside,inside) source dynamic obj- interface destination static obj- obj-

I added this to my ASA and it took, but I am not able to test at this point, thus you may want to wait for a window if you are working with a production box.


This Discussion