Posted by The blogging Desk on Mon, Nov 08, 2010
- by Chad, "The Machine", Weaver
Alright, I think I have had enough time to wrap my head around the changes to the ASA code in the newest release to share with you some of the massive changes. The newest release is any code version 8.3 and higher. I’ve been configuring ASA, PIX firewalls, and Cisco routers so it took me a little bit of time to get the differences in structure between the ASA and PIX vs. Routers.
I had a great grasp on the concepts thanks to my time invested in those routers. When you work for a top notch IT Support company serving the Philadelphia area, these things come in handy. But, in this new release there is a curve ball when it comes to NAT. These changes are going to make it a little tough going in the transition, but I think as everyone gets used to this new way of doing things it will be second nature again very soon. Plus, I want to provide a few examples of the old way vs. the new way to get you started. One last thing before I jump in to some examples, if you’re planning on upgrading from 8.2 or below to 8.3 be advised there is a greater memory requirement that some ASAs sold previously will need to be upgraded to meet.
I want to give a quick explanation on the new way of doing things before we jump in to some details and basic examples. The way we configure NAT now involves creating network objects in the object to define network objects, and using the NAT keyword to create the translation. This is done directly in the network object configuration rather than in the global configuration as was the previous way.
Examples:
For the first example I want to go over the standard NAT for your inside addresses to a single public address, or a dynamic PAT.
The old commands looked something like this.
Hostname(config#)Global (outside) 1 1.1.1.1
Hostname(config#)Nat (inside) 1 192.168.1.0 255.255.255.0
This would translate the inside addresses of 192.168.1.0/24 to 1.1.1.1
New commands:
hostname(config)# object network Inside-nat-object
hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic 1.1.1.1
These commands do produce the same result but as you can see where the configuration for “nat” is made is also quite different, versus 8.2
Let’s not forget an example of interface overload, or dynamic PAT using the outside interface.
hostname(config)# object network Inside-nat-object
hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic interface
Same basic idea here, define what you are translating then using the nat keyword define how to translate.
Next let’s take a look at a couple static NAT and PAT commands for different uses, and that should cover most basic configuration needs to get you started. I may do a follow up post with a much more in-depth look at some of the more advanced configurations.
Example:
To map a single host IP to an external IP through a static NAT used to look like this.
Static (inside,outside) 192.168.1.2 1.1.1.2 netmask 255.255.255.255
New:
hostname(config)# object network my-first-NAT
hostname(config-network-object)# host 192.168.1.2
hostname(config-network-object)# nat (inside,outside) static 1.1.1.2
To expand on this idea, if we want to translate a service specifically http for this example or port 80 it would look like below.
hostname(config)# object network my-first-webnat
hostname(config-network-object)# host 192.168.1.2
hostname(config-network-object)# nat (inside,outside) static 1.1.1.2 service tcp 80 80
These Examples can get you going in the right direction.
These are just some of the technical aspects you don't have to worry about with Trigon working for you. Who wants to worry about all that mumbo jumbo? Not you, friend. If you think you need Trigon to take a look at your network infrastructure, give us a call.
