Cisco ASA NAT Migration


Since ASA version 8.3 Cisco brings a number of changes in how NAT is processed. Cisco ASA NAT migration is essential if you want to upgrade your firmware.

There are two things you need to know:

  1. All NAT is built around objects, this allows for IP`s to be changed and objects to be renamed much easier then previously.
  2. Access lists now use Real IP/Port address(s)

Cisco ASA ACL Migration

Pre 8.3 in the ACL we ware using the Mapped IP address 1.2.3.4, and After 8.3 we are using the Real IP on our server 172.16.1.120

Pre 8.3 ACL
access-list acl-outside extended permit ip any host 1.2.3.4
After 8.3+ ACL
access-list acl-outside extended permit ip any host 172.16.1.120

Cisco ASA NAT Migration

During my migration i found this nice examples that helped me out.

Regular Static NAT

Pre 8.3 NAT
static (inside,outside) 192.168.100.100 10.1.1.6 netmask 255.255.255.255
After 8.3+ NAT
object network obj-10.1.1.6
 host 10.1.1.6
 nat (inside,outside) static 192.168.100.100

Regular Static PAT

Pre 8.3 NAT
static (inside,outside) tcp 192.168.100.100 80 10.1.1.16 8080 netmask 255.255.255.255
After 8.3+ NAT
object network obj-10.1.1.16
 host 10.1.1.16
 nat (inside,outside) static 192.168.100.100 service tcp 8080 www

Static Policy NAT

Pre 8.3 NAT
access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224
static (inside,outside) 192.168.100.100 access-list NET1
After 8.3+ NAT
object network obj-10.1.2.27
 host 10.1.2.27
 object network obj-192.168.100.100
 host 192.168.100.100
 object network obj-10.76.5.0
 subnet 10.76.5.0 255.255.255.224
 nat (inside,outside) source static obj-10.1.2.27 obj-192.168.100.100 
 destination static obj-10.76.5.0 obj-10.76.5.0

Regular Dynamic PAT

Pre 8.3 NAT
nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 10.1.1.0 255.255.255.0
global (outside) 1 192.168.100.100
After 8.3+ NAT
object network obj-192.168.1.0
 subnet 192.168.1.0 255.255.255.0
 nat (inside,outside) dynamic 192.168.100.100
object network obj-10.1.1.0
 subnet 10.1.1.0 255.255.255.0
 nat (dmz,outside) dynamic 192.168.100.100

Regular Dynamic PAT

Pre 8.3 NAT
nat (inside) 1 10.1.2.0 255.255.255.0
global (outside) 1 192.168.100.100
global (dmz) 1 192.168.1.1
After 8.3+ NAT
object network obj-10.1.2.0
 subnet 10.1.2.0 255.255.255.0
 nat (inside,outside) dynamic 192.168.100.100
object network obj-10.1.2.0-01
 subnet 10.1.2.0 255.255.255.0
 nat (inside,dmz) dynamic 192.168.1.1

Regular Dynamic PAT-3

Pre 8.3 NAT
nat (inside) 1 0 0 
global (outside) 1 interface
After 8.3+ NAT
object network obj_any
 subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) dynamic interface

Dynamic Policy NAT

Pre 8.3 NAT
object-group network og-net-src
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.2.0 255.255.255.0
object-group network og-net-dst
 network-object 192.168.200.0 255.255.255.0
object-group service og-ser-src
 service-object tcp gt 2000
 service-object tcp eq 1500
access-list NET6 extended permit object-group og-ser-src 
 object-group og-net-src object-group og-net-dst
nat (inside) 10 access-list NET6
global (outside) 10 192.168.100.100
After 8.3+ NAT
object network obj-192.168.100.100
 host 192.168.100.100
object service obj-tcp-range-2001-65535
 service tcp destination range 2001 65535
object service obj-tcp-eq-1500
 service tcp destination eq 1500
nat (inside,outside) source dynamic og-net-src 
 obj-192.168.100.100 destination 
 static og-net-dst og-net-dst
 service obj-tcp-range-2001-65535
 obj-tcp-range-2001-65535
nat (inside,outside) source dynamic og-net-src 
 obj-192.168.100.100 destination 
 static og-net-dst og-net-dst 
 service obj-tcp-eq-1500 obj-tcp-eq-1500

Policy Dynamic NAT (with multiple ACEs)

Pre 8.3 NAT
access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.4.0 255.255.255.0
nat (inside) 1 access-list ACL_NAT
global (outside) 1 192.168.100.100
After 8.3+ NAT
object network obj-172.29.0.0
 subnet 172.29.0.0 255.255.0.0
object network obj-192.168.100.100
 host 192.168.100.100
object network obj-192.168.1.0
 subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0
 subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
 subnet 192.168.3.0 255.255.255.0
object network obj-192.168.4.0
 subnet 192.168.4.0 255.255.255.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.2.0 obj-192.168.2.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.3.0 obj-192.168.3.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.4.0 obj-192.168.4.0

Outside NAT

Pre 8.3 NAT
global (inside) 1 10.1.2.30-1-10.1.2.40
nat (dmz) 1 10.1.1.0 255.255.255.0 outside
static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255
After 8.3+ NAT
object network obj-10.1.2.27
 host 10.1.2.27
 nat (inside,dmz) static 10.1.1.5
object network obj-10.1.1.0
 subnet 10.1.1.0 255.255.255.0
 nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40
object network obj-10.1.2.30-10.1.2.40
 range 10.1.2.30 10.1.2.40

NAT & Interface PAT together

Pre 8.3 NAT
nat (inside) 1 10.1.2.0 255.255.255.0
global (outside) 1 interface 
global (outside) 1 192.168.100.100-192.168.100.200
After 8.3+ NAT
object network obj-192.168.100.100_192.168.100.200
 range 192.168.100.100 192.168.100.200
object network obj-10.1.2.0
 subnet 10.1.2.0 255.255.255.0
 nat (inside,outside) dynamic obj-192.168.100.100_192.168.100.200 interface

NAT & Interface PAT with additional PAT together

Pre 8.3 NAT
nat (inside) 1 10.0.0.0 255.0.0.0
global (outside) 1 192.168.100.1-192.168.100.200
global (outside) 1 interface
global (outside) 1 192.168.100.210
After 8.3+ NAT
object network obj-192.168.100.100_192.168.100.200
 range 192.168.100.100 192.168.100.200
object network obj-10.0.0.0
 subnet 10.0.0.0 255.0.0.0
object network second-pat
 host 192.168.100.210
object-group network dynamic-nat-pat
 network-object object obj-192.168.100.100_192.168.100.200
 network-object object second-pat
nat (inside,outside) dynamic dynamic-nat-pat interface

Static NAT for a Range of Ports

Pre 8.3 NAT
Not Possible - Need to write multiple Statements or perform a Static one-to-one NAT
After 8.3+ NAT
 (in) (out)
10.1.1.1-------ASA-------xlate-------> 10.2.2.2
Original Ports: 10000 - 10010
Translated ports: 20000 - 20010
object service ports
 service tcp source range 10000 10010
object service ports-xlate
 service tcp source range 20000 20010
object network server
 host 10.1.1.1
object network server-xlate
 host 10.2.2.2

nat (inside,outside) source static server server-xlate service ports ports-xlate

Cisco ASA: http://www.cisco.com/en/US/products/ps6120/index.html



Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Advertisement