Why to use Identity NAT for VPNs in ASA 8.3 and above?

Question: Why do we use Identity NAT for VPN traffic if NAT isn’t a mandatory requirement in ASA 8.3 and above?

Answer: If your VPNs are terminated on the outside interface and you have a Dynamic PAT being used on that interface then all traffic going in the direction of the Dynamic PAT (eg: inside to outside) will be matched against it and be translated as per the Dynamic PAT rule. This is why you have to define Identity NATs so that the VPN traffic is differentiated from normal traffic and is matched before the Dynamic PAT.

So to sum it up;

1. If you have a Dynamic PAT or any other form of NAT that shadows your VPN traffic then you need to define the Identity NAT statements and make sure they are at the top of the Unified NAT table.

2. And if you have a Dynamic PAT or any other form of NAT that does not shadow your VPN traffic at all, then you need not define any NAT statements.

The direction of the NAT is important. Continue reading


Static NAT (ASA 8.3/8.4)

Configuring Static NAT as a Network Object NAT/Auto NAT:

1. Create a Network Object

2. Define the Real IP

3. Create a Static NAT inside the ‘network object’ itself

ASA(config)# object network websrv_realip
ASA(config-network-object)# host
ASA(config-network-object)# nat (dmz,outside) static

— You can either use the network object name or the real IP in your access lists.

— You can only define one host per network object.

Configuring Static NAT as a Twice NAT/Manual NAT:

1. Create the required network objects that need to be referenced in the Twice NAT/Manual NAT syntax.

2. Create the Static NAT in the ‘global configuration mode’ referencing those created network objects wherever required. Continue reading

Understanding NAT and NAT Rule Order (ASA 8.3/8.4)

First of all, there is no such thing as ‘nat-control’ any more so you either define a NAT or you don’t. Traffic that does not match any NAT rules will be allowed to bypass the firewall without any translation (like NAT exemption but without explicitly configuring it, more like an implicit NAT exemption). The  static and global keywords are deprecated, now its all about ‘nat’.

In ASA 8.3 and above, Cisco has come up with two ‘major’ categories/sections of NAT; Manual NAT and Auto NAT. In Cisco’s documentation they have used the terms Twice NAT and Network Object NAT respectively, but in the show command’s output NAT rules are classified under Manual and Auto.

Continue reading