OK so Cisco figured there was something wrong with the way we used to do NAT configuration in a PIX/ASA. Personally I have no idea why they did this and frankly the new configuration is very confusing and the ASDM is unusable!
In the past we used to use the 'nat', 'global' and 'static' commands but now have the 'nat' configuration command remains. Personally speaking I used to love the phrase 'inside outside outside inside' and anyone who did a lot of pre-8.3 NAT in an ASA would know what I'm talking about.
Anyway back to some tech. I'm going to have an inbound 1:1 static NAT for a web server.
Old school configuration would be really easy with a single 'static' nat command followed by an access-list entry. New school can use two methods:
i) Dynamic or 'Auto'' NAT
ii) Manual NAT
Now clearly Cisco would like to push Auto NAT as a good thing, it certainly sounds good doesn't it. Fact is if you are doing anything more complicated than a simple NAT/PAT you are forced to use Manual NAT.
Here is the requirement. I have a firewall segmenting the public Internet and private LAN. I want to present my web server with IP address 172.20.20.10 to the Internet as public IP add 188.8.131.52.Pre-8.3 my configuration would look like this:
First I create a static NAT entry for the host.static (inside,outside) 184.108.40.206 172.20.20.10 netmask 255.255.255.255
Next I add the access list entry to permit access to the web ports running on HTTP and secured on HTTPS.
access-list outside permit tcp any host 220.127.116.11 eq http
access-list outside permit tcp any host 18.104.22.168 eq https
So in pre-8.3 thats all I needed to do....Lets take a look at Post-8.3
Using Dynamic or 'Auto' NAT
First we need to create an 'object' to distinguish the web server (172.20.20.10). Unlike in earlier versions the object is a class of type used to distringuish anything defined in the ASA.
ASA(config)# object network WEBSERVER_INSIDE
ASA(config-network-object)# host ?
network-object mode commands/options:
A.B.C.D Enter a host IP address
X:X:X:X::X Enter a host IPV6 address
ASA(config-network-object)# host 172.20.20.10
Next thing we need to do is define a static mapping. Crucially here we do this INSIDE the same object definition...I know - it's messed up.
ASA(config-network-object)# nat (inside,outside) static 22.214.171.124
Lastly we need to add the access-list. Now you might think this would be a walk in the park but no. Cisco even managed to change this fundamental thing too! So now instead of specifying the destination of the packets from a source point of view (i.e. the Global address or POST-NAT'd address) we need to point it at the PRE-Nat'd or local address i.e. 172.20.20.10.
So first of all I'm going to create a new 'object' to add in my workstation. I'll be using this object in the access list.
object network RICH_HOME
I'll create an object group to define the web services
object-group service WEB_SERVICES tcp
port-object eq www
port-object eq https
So now lets build the access-list entryaccess-list outside_in extended permit tcp object RICH_WORK object WEBSERVER_INSIDE object-group WEB_SERVICES
OK I now brought up a web browser and pointed at the host - worked a treat. Here are some show commands to demonstrate the working on the bos.
ASA# show natAuto NAT Policies (Section 2)1 (inside) to (outside) source static WEBSERVER_INSIDE 126.96.36.199 translate_hits = 78, untranslate_hits = 1044
asx-asa-001# show xlate
1 in use, 23 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
e - extended
NAT from inside:172.20.20.10 to outside:188.8.131.52
flags s idle 0:00:09 timeout 0:00:00
Looks good - did you notice the Auto NAT statement? Crazy crazy - why did they do this crazy thing.
Anyway - I can't say have fun