Cisco PIX/ASA 8.3 Command Changes {NAT / Global / Access-List}

KB ID 0000247

Problem

I posted to a forum the other day, the poster had a problem with their VPN, basically my response was, “Your Nat statements look bizarre – what is this config from?”. At this point I realised 8.3 had brought in some syntax changes. There are quite a few changes with the OS, this will touch on the things that I see on my clients firewalls so all eventualities are NOT covered. the main areas of change are NAT/PAT.

Warning: Before upgrading to version 8.3 (or newer) check you have enough RAM.

Solution

No More NAT and Global commands.

Basically there is no more global command, and we are now a lot more reliant on object groups.

If you are port forwarding (Static PAT) then the dns re-write will no longer work.

NAT 0 (or no nat) no longer exists.

OLD – Regular PAT – 1 External IP to ALL internal IP addresses

[box]

nat (inside) 1 0 0
global (outside) 1 interface

[/box]

NEW – Regular PAT – 1 External IP to ALL internal IP addresses

[box]

object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

[/box]

OLD – Regular PAT – 1 External IP to an Internal Subnet

[box]

nat (inside) 2 192.168.1.0 255.255.255.0
global (outside) 2 interface

[/box]

NEW – Regular PAT – 1 External IP to an Internal Subnet

[box]

object network obj_internal_subnet
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface

[/box]

OLD – Static PAT (Port Forwarding – one port to the same port)

[box]

access-list inbound extended permit tcp any interface outside eq smtp
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq 3389
static (inside,outside) tcp interface www 10.254.254.5 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.254.254.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.254.254.5 3389 net mask 255.255.255.255

[/box]

NEW – Static PAT (Port Forwarding – one port to the same port)

[box]

object network OBJ-10.254.254.5-WWW
host 10.254.254.5
nat (inside,outside) static interface service tcp www www
object network OBJ-10.254.254.5-SMTP
host 10.254.254.5
nat (inside,outside) static interface service tcp smtp smtp
object network OBJ-10.254.254.5-RDP
host 10.254.254.5
object network obj-10.254.254.5
nat (inside,outside) static interface service tcp 3389 3389
access-list inbound extended permit tcp any object OBJ-10.254.254.5-WWW eq www
access-list inbound extended permit tcp any object OBJ-10.254.254.5-SMTP eq SMTP
access-list inbound extended permit tcp any object OBJ-10.254.254.5-RDP eq 3389 

[/box]

OLD – Static PAT (Port Forwarding – one port to a different port)

[box]

access-list inbound extended permit tcp any interface outside eq 3390
access-list inbound extended permit tcp any interface outside eq 3391
!
static (inside,outside) tcp interface 3390 192.168.1.1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 192.168.1.2 3389 net mask 255.255.255.255

[/box]

NEW – Static PAT (Port Forwarding – one port to a different port)

[box]

object network Internal_RDP_Server-1
host 192.168.1.1
nat (inside,outside) static interface service tcp 3389 3390
object network Internal_RDP_Server-2
host 192.168.1.2
nat (inside,outside) static interface service tcp 3389 3391
!
access-list inbound permit tcp any object Internal_RDP_Server-1 eq 3389
access-list inbound permit tcp any object Internal_RDP_Server-2 eq 3389
!
access-group inbound in interface outside

[/box]

OLD – Static NAT (One to One NAT)

[box]

!
static (inside,outside) 123.123.123.123 192.168.1.10 netmask 255.255.255.255 
!
access-list inbound permit tcp any host 123.123.123.123 eq www
!

[/box]

NEW – Static NAT (One to One NAT)

[box]

!
object network OBJ-Web-Server-Int
 host 191.168.1.10
object network OBJ-Web-Server-Ext
 host 123.123.123.123
nat (inside,outside) source static OBJ-Web-Server-Int OBJ-Web-Server-Ext
!
access-list inbound permit tcp any object OBJ-Web-Server-Int eq www
!

[/box]

OLD – No NAT (seen mainly – but not always – on VPN traffic)

[box]

nat (inside) 0 access-list EXEMPT
access-list EXEMPT extended permit ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0

[/box]

NEW – No NAT

[box]

object network obj-10.254.254.0
subnet 10.254.254.0 255.255.255.0
object network obj-172.16.254.0
subnet 172.16.254.0 255.255.255.0
nat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-172.16.254.0 obj-172.16.254.0

[/box]

Note: For a full walkthorugh on configuring VPNs with ASA version 8.3 and above see the following article:

Cisco ASA Site to Site VPN from CLI

Access Lists

For as long as I can remember when you allowed access to an IP address on a PIX/ASA you allowed access to its translated IP address, NOW YOU DO NOT, you allow access to its “Pre-translation address.

OLD Access List and Static NAT

[box]

access-list inbound extended permit ip any host 123.123.123.123 eq www
access-group inbound in interface outside
static (inside,outside) 123.123.123.123 10.254.254.5 netmask 255.255.255.255

[/box]

NEW Access List and Static NAT

[box]

access-list inbound extended permit ip any host 10.254.254.5
access-group inbound in interface outside
object network obj-10.254.254.5
host 10.254.254.5
nat (inside,outside) static 123.123.123.123

[/box]

Note: For more information on Static NAT see the following article.

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

 

Related Articles, References, Credits, or External Links

Original Article Writte: 10/05/10

ASA – Memory Error (Post upgrade to version 8.3)