VIDEO: Cisco ASA version 8.3 and 8.4 NAT Configuration Example

Document

Wed, 11/13/2013 - 03:04
Jul 30th, 2010
User Badges:
  • Cisco Employee,

The video below provides a basic command line configuration example  of Network Address Translation (NAT) on the CIsco ASA Version 8.3. See  below for links to more information about NAT Configuration on version  8.3




ASA 8.3 Command Line Configuration Guide; Configuring NAT:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html


ASA Pre-8.3 to 8.3 NAT configuration examples:

https://supportforums.cisco.com/docs/DOC-9129

Loading.
gthermaenius Fri, 03/11/2011 - 23:46
User Badges:

Thanks, its been a while since i did ASAs great help. One thing though last time I checked 10.1.0.0/16 etc would still be a class A address

MARTIN CHONG Thu, 05/05/2011 - 16:46
User Badges:

The video is well presented and provides a fairly good summary. I'd like to see the nat command explained in a little more detail. Of course I really wish they hadn't gone this route with the nat configuration.

epatrickwhite Thu, 09/01/2011 - 10:22
User Badges:

This was a big help to me.  I was told to upgrade this 5505 before I deployed it today so I was not familiar with these new changes, I saw there were notes and instructions but I needed to understand it quickly.  This was very straight forward and I was able to figure it out from here without spending too much time reading.  Now when I go back and read I'll have a better understanding of the changes.


Sometimes I feel like I have to read this stuff over and over before I comprehend it, I didn't have to do that this time!

richdepas Thu, 10/20/2011 - 04:01
User Badges:

Excellent video. Real help with setting up NAT statements in 8.4. Picture is worth a thousand words and this video is worth a million. Thanks!

a.matahen Sun, 10/30/2011 - 01:28
User Badges:

Hello Jay,


Thank you for the great video!


I have a quick question that I would like to ask you!


With the [real-ip] feature, does it mean that the packet processing steps changed, that is, NAT is performed before Access-list?


Scenario to clarify, if we have Inside users going to the internet, and we have an Inside interface IN access-list, should we allow REAL ip addresses here or NATed IPs?


Thanks!

Ahmad

Jay Johnston Mon, 10/31/2011 - 12:46
User Badges:
  • Cisco Employee,

All ACLs (applied in any direction on any interface) should refer to the local (or real) ip addresses of the hosts in question.


So, for your ACL applied to the inside interface, the lines should permit or deny traffic from the real ip addresses of the hosts on the inside network, and not the translated addresses for those hosts.


http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp40036


https://supportforums.cisco.com/docs/DOC-12690#ACL_Changes

Jay Johnston Tue, 01/22/2013 - 07:50
User Badges:
  • Cisco Employee,

For some reason the video is not loading in Chrome, but does work in Firefox. Can you try Firefox?

Saman Shamim Tue, 07/09/2013 - 16:12
User Badges:

Video is not working. Tested with IE and Chrome. Don't have Firefox to test with. I believe in was working with IE before.

Jay Johnston Fri, 07/12/2013 - 06:25
User Badges:
  • Cisco Employee,

Check to see if this is working now, some problems were fixed last night. The video plays for me ok in Firefox, but not Chrome.

Vinay Sharma Mon, 07/15/2013 - 03:39
User Badges:
  • Gold, 750 points or more

Hello Saman and Jay,


Please try the following:- click load unsafe script and it should work fine.


Untitled.jpg


Thanks,


Vinay Sharma

Community Manager

1 fast question if I may.  I have an auto nat statement from my inside interface to my outside interface for  a single host.  If I add nat (inside,outside) dynamic interface to my inside subnets will it always appear at the bottom of the auto nat section or should this be placed in the after-auto section.  I want to make sure that if I need to translate any additional hosts on the inside interface that they will translate correctly and not default to the interface IP.


Thanks

Vinay Sharma Wed, 11/13/2013 - 03:04
User Badges:
  • Gold, 750 points or more

Ashley,


Please load the script and it will play fine:

load the script.jpg


Thanks,

Vinay sharma

Community Manager

Actions

This Document

Related Content