OK so Cisco figured there was something wrong with the way we used to do NAT configuration in a PIX/ASA. Personally I have no idea why they did this and frankly the new configuration is very confusing and the ASDM is unusable!

In the past we used to use the 'nat', 'global' and 'static' commands but now have the 'nat' configuration command remains. Personally speaking I used to love the phrase 'inside outside outside inside' and anyone who did a lot of pre-8.3 NAT in an ASA would know what I'm talking about.

Anyway back to some tech. I'm going to have an inbound 1:1 static NAT for a web server.

Old school configuration would be really easy with a single 'static' nat command followed by an access-list entry. New school can use two methods:

i) Dynamic or 'Auto'' NAT
ii) Manual NAT

Now clearly Cisco would like to push Auto NAT as a good thing, it certainly sounds good doesn't it. Fact is if you are doing anything more complicated than a simple NAT/PAT you are forced to use Manual NAT.

Here is the requirement. I have a firewall segmenting the public Internet and private LAN. I want to present my web server with IP address 172.20.20.10 to the Internet as public IP add 62.69.83.10.



Pre-8.3 my configuration would look like this:

First I create a static NAT entry for the host.

static (inside,outside) 62.69.83.10 172.20.20.10 netmask 255.255.255.255

Next I add the access list entry to permit access to the web ports running on HTTP and secured on HTTPS.

access-list outside permit tcp any host 62.69.83.10 eq http
access-list outside permit tcp any host 62.69.83.10 eq https

So in pre-8.3 thats all I needed to do....

Lets take a look at Post-8.3

Using Dynamic or 'Auto' NAT

First we need to create an 'object' to distinguish the web server (172.20.20.10). Unlike in earlier versions the object is a class of type used to distringuish anything defined in the ASA.

ASA(config)# object network WEBSERVER_INSIDE
ASA(config-network-object)# host ?

network-object mode commands/options:
  A.B.C.D     Enter a host IP address
  X:X:X:X::X  Enter a host IPV6 address
 ASA(config-network-object)# host 172.20.20.10

Next thing we need to do is define a static mapping. Crucially here we do this INSIDE the same object definition...I know - it's messed up.

ASA(config-network-object)# nat (inside,outside) static 62.69.83.10

Lastly we need to add the access-list. Now you might think this would be a walk in the park but no. Cisco even managed to change this fundamental thing too! So now instead of specifying the destination of the packets from a source point of view (i.e. the Global address or POST-NAT'd address) we need to point it at the PRE-Nat'd or local address i.e. 172.20.20.10.

So first of all I'm going to create a new 'object' to add in my workstation. I'll be using this object in the access list.

object network RICH_HOME
 host 1.2.3.4


I'll create an object group to define the web services

object-group service WEB_SERVICES tcp
 port-object eq www
 port-object eq https

So now lets build the access-list entry


access-list outside_in extended permit tcp object RICH_WORK object WEBSERVER_INSIDE object-group WEB_SERVICES

OK I now brought up a web browser and pointed at the host - worked a treat. Here are some show commands to demonstrate the working on the bos.

ASA# show nat

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static WEBSERVER_INSIDE 62.69.83.10
    translate_hits = 78, untranslate_hits = 1044

asx-asa-001# show xlate
1 in use, 23 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
       e - extended
NAT from inside:172.20.20.10 to outside:62.69.83.10
    flags s idle 0:00:09 timeout 0:00:00


Looks good - did you notice the Auto NAT statement? Crazy crazy - why did they do this crazy thing.

Anyway - I can't say have fun
Good luck
© 2011 defaultrouteuk.com

Cisco, IOS, CCNA, CCNP, CCIE are trademarks of Cisco Systems Inc.
JunOS, JNCIA, JNCIP, JNCIE are registered trademark of Juniper Networks Inc.