Cisco ASA: NAT after 8.2

There have been many changes introduced with version 8.3 of Cisco ASA software.

The most confusing one for those who are familiar with previous versions of software is the way in which NAT is now configured.

The steps in general are:
1. Define network object
2. Define IP address or range to be translated
3. Define NAT type

Static NAT:
# object network obj-192.168.1.2
# host 192.168.1.2
# nat (inside,outside) static 8.8.8.8

PAT:
# object network obj-192.168.1.2
# host 192.168.1.2
# nat (inside,outside) static interface service tcp 25 25

Dynamic NAT:
# object network obj-192.168.1.0
# subnet 192.168.1.0 255.255.255.0
# nat (inside,outside) dynamic interface

Note: there is only one “nat” statement per object, so if you need to create a few PATs for the same host (ex. smtp and http), you need to define two different objects.

In case of PAT with different source and destination ports:
# object network obj-192.168.1.2
# host 192.168.1.2
# nat (inside,outside) static interface service tcp www 8080

meaning that hitting outside interface on port 8080 transfers to 192.168.1.2:80, access list entry should look like:
# access-list outside_access_in extended permit tcp any object obj-192.168.1.2 eq www

 

Some people are wondering what’s the point of such changes. The main advantage is that objects make changes to configuration easier (unless you use ASDM to configure ASA and not CLI).
For example, if you have a bunch of servers behind your firewall and need to add one more, you don’t need to rewrite the whole Access List and need only to add one more host:

hostname(config)# object-group network denied
hostname(config-network)# network-object host 10.1.1.4
hostname(config-network)# network-object host 10.1.1.78
hostname(config-network)# network-object host 10.1.1.89

hostname(config-network)# object-group network web
hostname(config-network)# network-object host 209.165.201.29
hostname(config-network)# network-object host 209.165.201.16
hostname(config-network)# network-object host 209.165.201.78

hostname(config-network)# access-list ACL_IN extended deny tcp object-group denied object-group web eq www
hostname(config)# access-list ACL_IN extended permit ip any any
hostname(config)# access-group ACL_IN in interface inside

 

So, Cisco is moving towards such logic.

 

More info can be found here:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html