PIX VS ASA

Answered Question
Nov 11th, 2013
User Badges:

I have worked on Cisco PIX in the past and now I need to work on ASA. As far as I remember the PIX explicitly required NAT, Access rules & routes.

Is it the same for ASA when it comes to NAT? Does it require explicit NAT (nat ot no nat)?


I have worked on Cisco PIX in the past and now I need to work in ASA. As far as I remember the PIX explicitly required NAT, Access rules & routes.


Is it the same for ASA when it comes to NAT? Does it require explicit NAT (nat ot no nat)?

Correct Answer by Jouni Forss about 3 years 9 months ago

Hi,


With the ASA it depends very much your software.


If you used 7.0 (or newer) software on the PIX firewalls then most of the ASA configuration format is either the same or you can easily determine the correct format if there has been some minor change.


If you are using 8.2 (or older) software version on the ASA then you will probably have to configure NAT between your local interfaces in one form or another for the traffic to flow normally.


If you are using 8.3 (or newer) software then you will be using a completely new NAT format that doesnt resemble the PIX or older ASA versions NAT configuration at all. Though with the new software you generally dont need any NAT configurations between your local interfaces (LAN/DMZ) unless you specifically want to NAT some address or subnet to another address/subnet.


Naturally also if you have a Dynamic PAT/NAT configurations towards the external network and configure L2L VPN then you naturally have to configure NAT0 for the L2L VPN purpose as otherwise Dynamic PAT would still apply to the traffic that is supposed to match the L2L VPN rules.


I guess in some older PIX firewalls you might have used NAT configurations to perform sort of access control on the firewall. That is not the case anymore and is not suggested by Cisco either.


You might have used a configuration called "nat-control" in the PIX firewalls. In the software levels 8.3 (and above) it doesnt exists anymore.


Hope this helps


Feel free to ask more if needed.


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jouni Forss Mon, 11/11/2013 - 06:03
User Badges:
  • Super Bronze, 10000 points or more

Hi,


With the ASA it depends very much your software.


If you used 7.0 (or newer) software on the PIX firewalls then most of the ASA configuration format is either the same or you can easily determine the correct format if there has been some minor change.


If you are using 8.2 (or older) software version on the ASA then you will probably have to configure NAT between your local interfaces in one form or another for the traffic to flow normally.


If you are using 8.3 (or newer) software then you will be using a completely new NAT format that doesnt resemble the PIX or older ASA versions NAT configuration at all. Though with the new software you generally dont need any NAT configurations between your local interfaces (LAN/DMZ) unless you specifically want to NAT some address or subnet to another address/subnet.


Naturally also if you have a Dynamic PAT/NAT configurations towards the external network and configure L2L VPN then you naturally have to configure NAT0 for the L2L VPN purpose as otherwise Dynamic PAT would still apply to the traffic that is supposed to match the L2L VPN rules.


I guess in some older PIX firewalls you might have used NAT configurations to perform sort of access control on the firewall. That is not the case anymore and is not suggested by Cisco either.


You might have used a configuration called "nat-control" in the PIX firewalls. In the software levels 8.3 (and above) it doesnt exists anymore.


Hope this helps


Feel free to ask more if needed.


- Jouni

avilt Mon, 11/11/2013 - 06:33
User Badges:

I am acquiring the latest ASA model with latest image, so explicit NAT is no longer needed then except for VPN.

Jouni Forss Mon, 11/11/2013 - 06:38
User Badges:
  • Super Bronze, 10000 points or more

Hi,


For a firewall on the edge of LAN and WAN you will naturally need the basic Dynamic NAT or Dynamic PAT. If you are adding a VPN Client or L2L VPN connection then you will need a NAT0 / NAT Exempt configuration for that. No NAT configurations are needed between your local LAN/DMZ interfaces if you dont wish to NAT.


If your firewall is purely for VPN purposes where there is no need for NAT you can essentially leave the NAT configuration blank.


If your firewall is located in the internal network between different network segments you wont need NAT either unless ofcourse you want to map/NAT addresses/subnets.


If you need any help with NAT configurations you can always ask here on the forums


Here is a document I wrote about the new NAT configuration format. It has some example configurations also

https://supportforums.cisco.com/docs/DOC-31116


Here is also a great document that might serve better for those that want to see the old and new NAT configuration format compared so you can easily convert the configurations

https://supportforums.cisco.com/docs/DOC-9129


- Jouni

Actions

This Discussion