Cisco ASA 8.3 has introduced major changes in how NAT is configured and operates.
This video is a excellent resource for a basic introduction to NAT on ASA 8.3 software:
Here are some quick notes that I have gathered for my reference. Feel free to post any additional comments and notes you may have to share:
show run objects
(Displays network and service objects that are in the running confg)
show run object id
(Displays a specific object)
show run nat
(Displays running config NAT configurations)
(Displays NAT policies and counters)
Use packet-tracer for testing NAT (and other things)
packet-tracer input inside tcp 10.0.0.40 4444 184.108.40.206 80
- Configure Auto-NAT:
object network inside subnet 192.168.1.0 255.255.255.0 nat (inside,outside) dynamic interface
Note: This will configure PAT onto the outside interface for the inside subnet, while at the same time configuring the network object for the inside subnet.
Configure Twice(manual) NAT:
nat (inside,outside) source dynamic inside-net translated-ip destination static cisco-dot-com cisco-dot-com
Note: You must first define the network objects for the source and destination before configuring manual NAT. In this example, the source IP address of the inside host is translated to “translated-ip” only when the dynamic host is sending a packet that is destined to “cisco-dot-com”. cisco-dot-com is entered twice because we are not translating the destination. If we wanted to translate the destination, we would do it here.
Exempt subnets from NAT because of VPN tunnel:
nat (inside,outside) static inside-net inside-net destination static vpn-subnets vpn-subnets
This statement will catch traffic on the inside trying to go to the outside. Traffic that matches the source and destination is operated on but no change is made.
- General Notes:
ASA 8.3 has two types of NAT: Auto-NAT and Twice (manual) NAT. You can use Auto-NAT for most NAT/PAT operations, except for ones that need to make a decision based upon the destination address of a packet.
With ASA 8.3, a new change called “Real IP” was introduced. Real IP means that NAT translation happens BEFORE a ACL is checked. Therefore ACLs must contain the real IP address of the host that the inbound packet is headed towards. In other words, do not write the ACL to match on the “mapped” IP address. The real IP address is normally a non-routable IP address.