ASA 8.3 – NAT

New ASA 8.3 brings massive changes; the main change is the way in which the ASA handles NAT. Rather the configuring NAT at purely the interface level NAT is now configured within network objects.

That way in which is now configured is :

  • Create a network object.
  • Within this object define the Real IP/Network to be translated.
  • Also within this object you can use the the nat commands to specify whether the translation will be dynamic or static.

Some examples are as shown below.

Configuring Static NAT or Static NAT with Port Translation

The following example configures static NAT for the real host 4.4.4.4 on the inside to 5.5.5.5 on the outside with DNS rewrite enabled.

hostname(config)# object network my-host-obj1
hostname(config-network-object)# host 4.4.4.4
hostname(config-network-object)# nat (inside,outside) static 5.5.5.5 dns

The following example configures static NAT for the real host 4.4.4.4 on the inside to 5.5.5.5 on the outside using a mapped object.

hostname(config)# object network my-mapped-obj
hostname(config-network-object)# host 5.5.5.5
hostname(config-network-object)# object network my-host-obj1
hostname(config-network-object)# host 4.4.4.4
hostname(config-network-object)# nat (inside,outside) static my-mapped-obj

The following example configures static NAT with port translation for 12.12.12.12 at TCP port 21 to the outside interface at port 1111.

hostname(config)# object network my-ftp-server
hostname(config-network-object)# host 12.12.12.12
hostname(config-network-object)# nat (inside,outside) static interface service tcp 21 1111
………………………………

Dynamic PAT (Hide NAT)

The following example configures dynamic PAT that hides the 172.16.1.0 network behind address 1.1.1.1:

hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 172.16.1.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic 1.1.1.1

The following example configures dynamic PAT that hides the 172.16.1.0 network behind the outside interface address:

hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 172.16.1.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic interface
…………………………
Configuring Dynamic NAT

The following example configures dynamic NAT that hides 172.16.1.0 network behind a range of outside addresses 1.1.1.1 – 1.1.1.10:

hostname(config)# object network my-range-obj
hostname(config-network-object)# range 1.1.1.1 1.1.1.10
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 172.16.1.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj