Scribd
Upload
5 views

Cisco ASA Software Between Version 8.2 and 8.3 Later

Uploaded by

Amr Salem
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
5 views

Cisco ASA Software Between Version 8.2 and 8.3 Later

Uploaded by

Amr Salem
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Cisco ASA software between version 8.

2 and
8.3 Later.

-Cisco ASA software version 8.2 and earlier versions use NAT and PAT configurations
that have existed since the cisco PIX firewall and can be very complex.
-The earlier NAT and PAT configurations become difficult to organize.
-For Example the newer Cisco ASA can support up to 1024 virtual interfaces(Vlans) with
many security levels.
-Cisco ASA Software version 8.3 and later versions use an object-oriented configuration
to overcome the earlier configurations constraints, by creating an object for every host,
translated address, and service that is used in translations, you are no longer required to
link Nat commands into one or more GLOBAL commands,
-As a result the NAT and PAT configurations are easier to manage.
For Example:

1-Static NAT:
#Pre-8.3:
(config)#static (inside,outside) 72.16.4.1 192.168.10.2 netmask 255.255.255.255

#post-8.3:
(config)#object network inside-host
(config-object)#host 192.168.10.2
(config-object)#nat (inside,outside) static 72.16.4.1
-Both of the above say the following: Traffic that is received on the inside interface from
192.168.10.2, translate to 72.163.4.162 on the outside interface, and vice versa
-In 8.2(5) and earlier, the syntax is static (inside,outside) [outside ip] [inside ip] netmask
[netmask]. I find this syntax to be counter intuitive, because it reads (inside,outside) and then
outside inside. I am not aware of any logical reason for this.
2-Dynamic PAT:
#Pre-8.3:
asa01(config)# nat (inside) 1 192.168.10.0 255.255.255.0
#global (outside) 1 interface
This configuration says: Translate any traffic received on the inside interface from
192.168.10.0/24 (NAT ID 1) to the corresponding global PAT pool. In this case,
nat (inside) 1 corresponds to global (outside) 1, so anything from 192.168.10.0/24
is translated to the outside interface IP. Return traffic will be translated back to
the real IP address by checking the xlate table for the appropriate translation.
#post-8.3:
asa01(config)# object network inside-network
asa01(config-network-object)# subnet 192.168.10.0 255.255.255.0
asa01(config-network-object)# nat (inside,outside) dynamic interface

Pre-8.3 NAT 8.3 NAT


Regular Static NAT
object network obj-10.1.1.6
static (inside,outside) 192.168.100.100 10.1.1.6 host 10.1.1.6
netmask 255.255.255.255 nat (inside,outside) static 192.168.100
.100

Regular Static PAT


object network obj-10.1.1.16
static (inside,outside) tcp 192.168.100.100 80 host 10.1.1.16
10.1.1.16 8080 netmask 255.255.255.255 nat (inside,outside) static 192.168.100
.100 service tcp 8080 www

Static Policy NAT


host 10.1.2.27
object network obj-192.168.100.100
host 192.168.100.100
access-list NET1 permit ip host 10.1.2.27 object network obj-10.76.5.0
10.76.5.0 255.255.255.224 subnet 10.76.5.0 255.255.255.224
nat (inside,outside) source static obj-10
.1.2.27 obj-192.168.100.100
destination static obj-10.76.5.0
obj-10.76.5.0
Regular Dynamic PAT
object network obj-10.1.2.0
subnet 10.1.2.0 255.255.255.0
nat (inside) 1 10.1.2.0 255.255.255.0 nat (inside,outside) dynamic 192.168.10
global (outside) 1 interface 0.100
global (dmz) 1 192.168.1.1 object network obj-10.1.2.0-01
subnet 10.1.2.0 255.255.255.0
nat (inside,dmz) dynamic 192.168.1.1

Regular Dynamic PAT-3


object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside) 1 0 0 nat (inside,outside) dynamic interface
global (outside) 1 interface

ACL:
when defining access rules: in pre-8.3, you specify the mapped address while in
version 8.3 and later, you specify the real address. Therefore, the ACL on the ASA 8.0
will be something like:
access-list OUTSIDE-IN extended permit tcp any host 192.0.80.20 eq www
access-group OUTSIDE-IN in interface outside

Notice that we specified the mapped address above. However, for version 8.3 and
later, the configuration for the ACL will be as follows:
access-list OUTSIDE-IN extended permit tcp any host 10.0.84.20 eq www
IP Addresses Used for Access Lists When You Use NAT in ASA pre 8.3 :
When you use NAT, the IP addresses that you specify for an access list depend on the
interface to which the access list is attached; you need to use addresses that are valid
on the network connected to the interface. This guideline applies for both inbound and
outbound access lists: the direction does not determine the address used, only the
interface does.

For example, if you want to apply an access list to the inbound direction of the inside
interface, you configure the ASA to perform NAT on the inside source addresses when
they access outside addresses. Because the access list is applied to the inside interface,
the source addresses are the original untranslated addresses. Because the outside
addresses are not translated, the destination address used in the access list is the real
address as shown below.

If you want to allow an outside host to access an inside host, you can apply an inbound
access list on the outside interface. You need to specify the translated address of the
inside host in the access list because that address is the address that can be used on the
outside network as shown below.
IF you perform NAT on both interfaces, keep in mind the addresses that are visible to a
given interface. Figure 10-3 shows an outside server that uses static NAT so that a
translated address appears on the inside network.
IP Addresses Used for Extended ACLs When You Use NAT :
#post-8.3:
When you use NAT or PAT, you are translating addresses or ports, typically mapping
between internal and external addresses. If you need to create an extended ACL that
applies to addresses or ports that have been translated, you need to determine whether
to use the real (untranslated) addresses or ports or the mapped ones. The requirement
differs by feature.
Using the real address and port means that if the NAT configuration changes, you do not
need to change the ACLs.
For example, if you configure NAT for an inside server, 10.1.1.5, so that it has a publicly
routable IP address on the outside, 209.165.201.5, then the access rule to allow the
outside traffic to access the inside server needs to reference the server’s real IP address
(10.1.1.5), and not the mapped address (209.165.201.5).

You might also like