Typical NAT/PAT Configuration Comparison for ASA 8.

4
Posted on January 9, 2012 by Paul Stewart, CCIE 26009 (Security)
A little while back, I posted an article that took a very simple ASA configurati
on and migrated it to 8.4. This article takes it a step further and focuses on N
AT and PAT, as well as the related access control list changes. This only addres
ses typical static and dynamic source address translation scenarios. Policy base
d NAT and DMZ configuration will be address in future articles. This is an area
of significant change in ASA 8.4.
For this configuration challenge, we will meet following configuration requireme
nts:
192.168.1.x/24 should use the outside interface IP for Dynamic PAT
192.168.1.2 TCP Port 80 will have a static PAT translation to 1.1.1.3 Port 8
0
192.168.1.3 will have a static NAT (one-to-one) translation to 1.1.1.3
Note: The last two requirements overlap. The desire is that only traffic to TCP
port 80 on 1.1.1.3 be delivered to 192.168.1.2. All other traffic coming in to 1
.1.1.3 will go to 192.168.1.3.
For those familiar with ASA version 8.2 and earlier, the relevant configuration
excerpts are found below.
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
static (inside,outside) tcp 1.1.1.3 www 192.168.1.2 www netmask 255.255.255.
255
static (inside,outside) 1.1.1.3 192.168.1.3 netmask 255.255.255.255
//ACL Entries Note the translated addresses
access-list
access-list
access-list
access-list

outside_access_in
outside_access_in
outside_access_in
outside_access_in

extended
extended
extended
extended

permit
permit
permit
permit

tcp any host 1.1.1.3 eq www

tcp any host 1.1.1.3 eq smtp
tcp any host 1.1.1.3 eq https
icmp any host 1.1.1.3

access-group outside_access_in in interface outside

If you reproduce this configuration, it is imperative that the static translatio
ns be entered in the exact order. By doing so, the static NAT configuration is i
mplemented with the exception of the the previously entered static PAT entry.
ciscoasa(config)# static (inside,outside) tcp 1.1.1.3 80 192.168.1.2 80
ciscoasa(config)# static (inside,outside) 1.1.1.3 192.168.1.3
WARNING: mapped-address conflict with existing static
TCP inside:192.168.1.2/80 to outside:1.1.1.3/80 netmask 255.255.255.255
Comparing NAT and access-list configuration to the 8.4 equivalent, major changes
are apparent. After performing an upgrade of the 8.2 configuration, the followi
ng is an excerpt that represents the 8.4 NAT and ACL configuration.
//object definitions
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.2
host 192.168.1.2
object network obj-192.168.1.3

host 192.168.1.3
//NAT Assignments
object network obj_any
nat (inside,outside) dynamic interface
object network obj-192.168.1.2
nat (inside,outside) static 1.1.1.3 service tcp www www
object network obj-192.168.1.3
nat (inside,outside) static 1.1.1.3
//ACL Interface Binding
access-group outside_access_in in interface outside
//ACL Entries Note the real IP address
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq ww
w
access-list outside_access_in extended permit tcp any host 192.168.1.3 eq sm
tp
access-list outside_access_in extended permit tcp any host 192.168.1.3 eq ht
tps
access-list outside_access_in extended permit icmp any host 192.168.1.3
As you can quickly see ASA 8.4 radically changes the NAT configuration. A good w
ay to get a grasp of the differences is to go through the upgrade process betwee
n 8.2 and 8.4 with known working configurations.