Cisco ASA firewall has upgraded its command line at the version 8.3 and changed a lot of configurations from their previous style. I recently faced two cases about NO-NAT in both version and want to leave a quick note here.
- inside IP address: 188.8.131.52/24
- outside IP address: 184.108.40.206/24
- traffic go through from inside interface to outside interface
An access-list is needed to filter the interested traffic. This access-list is then used in NAT 0 to ensure all traffic defined in it is not NATed.
access-list NO-NAT permit ip 220.127.116.11 255.255.255.0 18.104.22.168 255.255.255.0 nat (inside) 0 access-list NO-NAT
Begin in 8.3
ASA gave up the configuration style used before for NO-NAT and mandated to use network object. Network object was introduced earlier and more flexible (Configure Object Groups), though, it was popular in configurations. The new style uses two network objects to define traffic which doesn't need to be NATed, then render them in new NAT configuration style.
object network INSIDE subnet 22.214.171.124 255.255.0.0 object network OUTSIDE subnet 126.96.36.199 255.255.0.0 nat (inside,outside) source static INSIDE INSIDE destination static OUTSIDE OUTSIDE
Subscribe to Idea Switching
Get the latest posts delivered right to your inbox