Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

PAT ASA 8.2 vs 8.4

Hi all,

Over the last couple days I've been experimenting with the new NAT config with version 8.4(2), and I've got a couple questions.

For example:
My production ASA is running on version 8.2(3) and has the following config:

global (outside) 1 interface

nat (inside) 1 192.168.0.0 255.255.255.0

static (inside,outside) tcp interface 3390 192.168.0.2 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 3391 192.168.0.3 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 192.168.0.1 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 80 192.168.0.1 80 netmask 255.255.255.255

static (inside,outside) tcp interface 8080 192.168.0.1 8080 netmask 255.255.255.255

static (inside,outside) tcp interface 443 192.168.0.1 443 netmask 255.255.255.255

etc

To get the same result on the newer 8.4 version, I now have to use the following config:


object network 192.168.0.0

subnet 192.168.0.0 255.255.255.0

object network 192.168.0.2-01

host 192.168.0.2

object network 192.168.0.3-01

host 192.168.0.3

object network 192.168.0.1-01

host 192.168.0.1

object network 192.168.0.1-02

host 192.168.0.1

object network 192.168.0.1-03

host 192.168.0.1

object network 192.168.0.1-04

host 192.168.0.1

!

object network 192.168.0.0

nat (inside,outside) dynamic interface

object network 192.168.0.2-01

nat (inside,outside) static interface service tcp 3390 3389

object network 192.168.0.3-01

nat (inside,outside) static interface service tcp 3391 3389

object network 192.168.0.1-01

nat (inside,outside) static interface service tcp 3389 3389

object network 192.168.0.1-02

nat (inside,outside) static interface service tcp 80 80

object network 192.168.0.1-03

nat (inside,outside) static interface service tcp 8080 8080

object network 192.168.0.1-04

nat (inside,outside) static interface service tcp 443 443

etc

So instead of 8 lines of configuration, I'm already over 30 lines right?

Questions:
Is this the right way of configuring?

If not, what is the right way?

If so:

Why is Cisco making it this complicated?

What are the benefits of this new way of configuring?

Tnx in advance!

Kind regards,

Niels.

Everyone's tags (5)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Red

PAT ASA 8.2 vs 8.4

Hi Niels,

The config for 8.4 is correct, yes it would create those lines. The 8.4 nat is object based nats, in which you create object networks for the hosts and subnets, which you want to nat. The 8.2 nat used to be a bit syntax based nat commands, but I find 8.4 purely logical nat statements rather than syntactical.

Moreover the concept of nat-control has been deprecated, so your nats dont purely depend upon security levels.

Few more things tat I find good is:

The access-list contains the post natted IP's for the servers o machines that you want to access, which means, if you somehow have to chnage the natted or public ip for a server, you dont need to change the ACL's, you just need to make change in the object network for that IP.

You were not able to translate both the source and the destination in one sinle nat statement, now post 8.3, you can do that simply, so it saves you the config lines there.

Here is a doc taht might be helpful:

https://supportforums.cisco.com/docs/DOC-9129#comment-3934

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Cisco Employee

PAT ASA 8.2 vs 8.4

Niels,

Yes and no, well basically you pass from this:

static (inside,outside) tcp interface 3390 192.168.0.2 3389 netmask 255.255.255.255

To this:

object network 192.168.0.2-01

host 192.168.0.2

nat (inside,outside) static interface service tcp 3390 3389

So from 1 line you go to 3. Well, while it does makes the configuration a bit larger, there are many advantages such as the Nat sections, where you can accomodate the Nats in the order that you want, the order of operation in 8.2 was somewhat complicated for the users to understand and if they wanted to change or move static translations, they had to remove lines, re add them and sometimes it caused networks to go down.

On the other hand, once you have the objects created, you can allocate your NAT configurations and re-used them any time you want and so on.

At first, I didnt quite like it, but once you get use to it, is easier to troubleshoot when a problem comes up.

Mike

Mike
3 REPLIES
Red

PAT ASA 8.2 vs 8.4

Hi Niels,

The config for 8.4 is correct, yes it would create those lines. The 8.4 nat is object based nats, in which you create object networks for the hosts and subnets, which you want to nat. The 8.2 nat used to be a bit syntax based nat commands, but I find 8.4 purely logical nat statements rather than syntactical.

Moreover the concept of nat-control has been deprecated, so your nats dont purely depend upon security levels.

Few more things tat I find good is:

The access-list contains the post natted IP's for the servers o machines that you want to access, which means, if you somehow have to chnage the natted or public ip for a server, you dont need to change the ACL's, you just need to make change in the object network for that IP.

You were not able to translate both the source and the destination in one sinle nat statement, now post 8.3, you can do that simply, so it saves you the config lines there.

Here is a doc taht might be helpful:

https://supportforums.cisco.com/docs/DOC-9129#comment-3934

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Cisco Employee

PAT ASA 8.2 vs 8.4

Niels,

Yes and no, well basically you pass from this:

static (inside,outside) tcp interface 3390 192.168.0.2 3389 netmask 255.255.255.255

To this:

object network 192.168.0.2-01

host 192.168.0.2

nat (inside,outside) static interface service tcp 3390 3389

So from 1 line you go to 3. Well, while it does makes the configuration a bit larger, there are many advantages such as the Nat sections, where you can accomodate the Nats in the order that you want, the order of operation in 8.2 was somewhat complicated for the users to understand and if they wanted to change or move static translations, they had to remove lines, re add them and sometimes it caused networks to go down.

On the other hand, once you have the objects created, you can allocate your NAT configurations and re-used them any time you want and so on.

At first, I didnt quite like it, but once you get use to it, is easier to troubleshoot when a problem comes up.

Mike

Mike

PAT ASA 8.2 vs 8.4

Hi all,

I've been experimenting with 8.4.x and it have to say it does have some advantages.

So I think we are going to use in our customers' firewalls.

Tnx for the replies guys!

Kind regards,

Niels.

6172
Views
0
Helpful
3
Replies