You, Me and NAT 8.3

NAT on ASA 8.3 and higher

It is important to know that the change from 8.2 to 8.3 was massive. It did divide ASA users to a point some felt cheated or disheartened by Cisco’s actions. I admittedly picked it up rather quickly though others who are been using the family for years had a tougher time. The biggest change comes in the syntax. ASA 8.3 and higher leverages the use of object-orientated configuration which allowed the overcoming of 8.2 caveats. The biggest bonus is the ability to scale firewall rule bases. Other features such as the keyword any, defining translations as objects, and ACL, MPF, AAA features matching the real/un-translated address.

Order of Operations – 8.3 and higher ASA

  1. Manual NAT
  2. Auto NAT
  3. Manual NAT after Auto

It is important to understand that NAT translations are now treated much like an access-list. It is best to place the most specific rules at the top and lease specific towards the bottom.

Configuring Auto NAT – 8.3 ASA

This new version of NAT is easiest to configure. It also goes by the name of Object NAT. There are three types of auto NAT configurations.

  1. Static NAT – one to one translation for static hosts. Adds in  a permanent connection entry.
  2. Dynamic NAT – allows multiple uses of single pool of addresses. PAT is used when address pool is full.
  3. Dynamic PAT – allows multiple addresses to use one or more  translated addresses simultaneously.

Auto NAT – Static NAT – 8.3 ASA

The configuration of Static NAT in the 8.3 software is very different but very scalable.

object network internal-mail
host 192.168.16.23
object network internal-mail-outside
host 203.66.23.84
object network internal-mail
nat (inside,any) static internal-mail-outside

Here we define two objects. internal-mail and internal-mail-outside with their respective IP addresses. We then define under internal-mail the NAT we want to take place. The ASDM configuration window resides at Configuration > Firewall > Objects > Network Objects/Groups.

Auto NAT – Dynamic NAT – 8.3 ASA

Dynamic Translations of NAT in 8.3 again utilize objects. A subnet is defined here opposed to a 1:1 mapping of addresses like static NAT.

object network 172.16.23.0_NET
subnet 172.16.23.0 255.255.255.0
nat (inside,outside) dynamic interface

The object we define in this part is actually an entire subnet. We are allowing the subnet 172.16.23.0/24 to be natted to the IP address of the outside interface. This type of NAT is generally what is applied to an end-user subnet. The ASDM configuration window resides at Configuration > Firewall > Objects > Network Objects. Select Network Object from the dropdown. When filling out the information it is important to tick Add Automatic Address Translation Rules.

Manual NAT – 8.3 ASA

Manual NAT takes precedence over auto NAT in the translation table. Manual NAT can also be configured to be processed after auto NAT. This allows for a fall back scenario and deterministic failover. It can be configured on both source and destination IP addresses; this is known as Twice NAT.

object network 10.10.1.0_NET
subnet 10.10.1.0 255.255.255.0
object network 65.242.123.97_outside
host 65.242.123.97
object network 184.63.22.23_MAIL
host 184.63.22.23
nat (inside,outside) source dynamic 10.10.1.0_NET 65.242.123.97_outside destination static 184.63.22.23_MAIL 184.63.22.23_MAIL

So what is happening here? First we begin by translating packets from the inside to outside with (inside,outside). Source dynamic translate the source IP with dynamic translation. 10.10.1.0_NET 65.242.123.97_outside will translate source IP packets defined in the object 10.10.1.0_NET to global addresses defined by the object 65.242.123.97_outside. Destination static defines destination IP translation as static and the object 184.63.22.23_MAIL is the destination IP that is set to not be translated.

The ASDM configuration window resides at Configuration > Firewall > NAT Rules > and select the Add NAT Rule Before “Network Object” NAT dropdown.

Twice NAT – Source and Destination NAT

There are occasions where RFC 1918 addresses overlap. When they do Twice NAT has its place. Lower ranges in this address space are commonly used by all kinds of networks; Twice NAT can be configured to avoid this.

object network INSIDE-CUSTA-NET
subnet 192.168.1.0 255.255.255.0
object network 192.168.10.11_PAT
host  192.168.10.11
object network 192.168.10.0_NET
network 192.168.10.0 255.255.255.0
object network 192.168.11.0_NET
network 192.168.11.0 255.255.255.0
nat (inside,CUST_A) source dynamic INSIDE-CUSTA-NET 192.168.10.11_PAT destination static 192.168.1.0_NET 192.168.11.0_NET


After defining our objects we then apply the NAT statement. The traffic that now flows from the interface inside to CUST_A is now subject to translation rules. The dynamic source of the translation is the object network INSIDE-CUSTA-NET to network defined by 192.168.10.11_PAT. Destination static will translate the destination IP address using static translations. 192.168.1.0_NET 192.168.11.0_NET will translate addresses that are defined by 192.168.11.0_NET to addresses defined by 192.168.1.0_NET.

The ASDM configuration window resides at Configuration > Firewall > NAT Rules > and select the Add NAT Rule Before “Network Object” NAT dropdown.

Manual NAT after Auto NAT – 8.3 ASA

This type of NAT allows for translations after not meeting the criteria of more specific matches.

nat (any,outside) after-auto 1 source dynamic 192.168.16.0_NET 203.86.14.0_NET_OUT

The biggest difference in this command is the after-auto. This is what sets it to translate after auto NAT has been processed. The ASDM configuration window resides at Configuration > Firewall > NAT Rules > and select the Add NAT Rule After “Network Object” NAT dropdown.

Directional NAT

Directional NAT translations are based upon the direction of the request. If the source object that is defined makes a request it is only translated once. By default a NAT translation occurs both ways.

nat (inside,dmz14) source static MAIL-14-INT MAIL-14-EXT unidirectional

The keyword unidirectional is what allows this function to take place. The ASDM configuration window resides at Configuration > Firewall > NAT Rules > Edit NAT Rule.

NAT Caveats

It is important to know where NAT can be used and where NAT will cause headaches. The list below is situations where NAT will cause you to have a bad day.

  • Embedded IP addressing
  • End-to-end encryption
  • Authenticated IP packets
    • IP headers
    • TCP headers
    • IPSEC
  • 8.2 ASA NAT changes configuration of ACL, AAA, MPF due to the fact 8.2 references the post-NAT IP.

5 thoughts on “You, Me and NAT 8.3”

  1. Thank U for nice post,
    But I need to point U on obviouse mistake in article with regard to Twice Nat.
    While U have statement “… destination static 192.168.1.0_NET 192.168.11.0_NET” it will translate addresses that are defined by 192.168.1.0_NET to addresses defined by 192.168.11.0_NET, but not “that are defined by 192.168.11.0_NET to addresses defined by 192.168.1.0_NET”

  2. So when one encounters this object and NAT statement, how should it be interpreted?

    object network data-network
    subnet 10.0.0.0 255.0.0.0
    nat (inside,outside) static 10.0.0.0

    Does it mean that any hosts within the /8 network will use their real IP and just do PAT?

  3. So when we find something like this:

    object data-network
    subnet 10.0.0.0 255.0.0.0
    nat (inside,outside) static 10.0.0.0

    Does this mean hat we’re keeping the real IP from the host and just doing PAT?

Leave a Reply

Your email address will not be published. Required fields are marked *


*