Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 8.3 - loss of NAT flexibility?

Hello all,

I have a case open with the TAC already on this, but I thought I would throw this on the community forums (this is my first post) since there might be others experiencing a similar issue.

I've come to expect being able to translate the source of packets coming from the outside interface towards an inbound host. I've usually had to do that when migrating firewalls, for instance, when the internal host's default gateway was pointed somewhere else than the ASA from which the trafic was coming from. This would effectively hide the external/vpn/etc.. address, and replace it with, e.g. the ASA's inside interface IP. The following is sample code which would achieve this previously:

Remote IPSEC tunnel subnet: 192.168.90.0/23

Local server: 20.20.20.5

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 20.20.20.1 255.255.255.0

access-list outside_nat_outbound extended permit ip 192.168.90.0 255.255.254.0 host 20.20.20.5

access-list inside_nat0_outbound extended permit ip any 192.168.90.0 255.255.254.0

global (outside) 1 interface

global (inside) 2 interface

nat (outside) 2 access-list outside_nat_outbound outside

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface ftp-data 20.20.20.5 ftp-data netmask 255.255.255.255

static (inside,outside) tcp interface ftp 20.20.20.5 ftp netmask 255.255.255.255

This would effectively change the source of trafic from 192.168.90.0/23 to 20.20.20.5 to the inside interface IP: 20.20.20.1. This config works wonderfully in 8.2, yet upgrading that config to 8.3 yields a broken configuration that doesn't end up changing the source address, and instead leaves it intact.

So far I've had no workaround from the TAC. Either the new NAT engine results in some loss of flexibility, or I can't wrap my head around the solution.

I've already heard "why are you doing this" and "you should instead fix the routing problem". Fact is: this works in 8.2, and so far it doesnt in 8.3. I'm looking for a straight answer whether or not 8.3 simply won't support this configuration any longer.

4 REPLIES

Re: ASA 8.3 - loss of NAT flexibility?

Hi,

In 8.3, NAT commands have changed. Check whether all the 8.2 nat configs have been migrated in the 8.3 config.

Here are some limitations of migration to 8.3

- Dynamic identity NAT (the nat 0 command) will not be migrated.

- The dns option in static PAT and policy NAT commands will be ignored.

- Connection Settings in old NAT commands—Options such as conn-max, emb-limit, norandomseq, or nailed will be moved to service policies.

For detailed information on the changed NAT commands,check this link

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60047

New Member

Re: ASA 8.3 - loss of NAT flexibility?

Hi,

I'm well aware that there have been changes, and I can't find a replacement configuration that works in my scenario. Hence this post.

New Member

Re: ASA 8.3 - loss of NAT flexibility?

I've had to do the exact same thing... when someone installs a remote machine and makes a typo in the default gateway.  Without hands-on, this is a way to gain remote access to the machine to correct the typo (then take out the nat commands, in my case).

Here's my take on getting the inbound traffic translated:

object network obj-192.168.90.0

subnet 192.168.90.0 255.255.255.0

object network obj-20.20.20.5

host 20.20.20.5

nat (any,inside) source dynamic obj-192.168.90.0 interface dest static obj-20.20.20.5 obj-20.20.20.5

But I will say I hate the new 8.3 code and have little experience with it.  Let us know what you get to work...
New Member

Re: ASA 8.3 - loss of NAT flexibility?

I was looking over this page, and think that it may have the solution.

https://supportforums.cisco.com/docs/DOC-9129

object service ftpPorts

   service tcp destination range ftp-data ftp

object network obj-20.20.20.5

   host 20.20.20.5

   nat (inside,outside) static interface service tcp  ftpPorts  ftpPorts

object network obj-192.168.90.0

   subnet 192.168.90.0 255.255.254.0

nat (outside,inside) source dynamic obj-192.168.90.0 interface destination static obj-20.20.20.5 obj-20.20.20.5

I added this to my ASA and it took, but I am not able to test at this point, thus you may want to wait for a window if you are working with a production box.

2810
Views
0
Helpful
4
Replies
CreatePlease to create content