Cisco ASA 8.4 – No more Global Address Pools


There are a couple of ways to do NAT/PAT assignments as you might expect out of 8.4.  Assuming that you don’t really have a single Net Object that represents the entire inside network I recommend not using the Net-Object method and to define a rule “outside” of the Net-Object framework.

So first define a network object for NAT range of external IPs and then a PA  external IP address.  In cli it looks like this, these are external IPs just to be clear:

object network nat-range1
range 209.103.0.150 209.103.0.154

object network pat-ip1
host 209.103.0.155

You can do the same easily from the ASDM but I wanted to make sure the size of the block as a range instead of a subnet was visible.

asa-84-dnat-2

Now from the NAT page create a new Dynamic  Rule,

asa-84-dnat-31

The NAT Pool should look like this when done, I use inside to Outside2 here.

asa-84-dnat-4


Note the nat-range object which used to be a “pool”.

Now add a PAT.  It cant overlap with the NAT pool, etc etc.  Don’t choose Round Robin as it’s memory intensive. I believe I read that 8.4 has an issue where it can run out of certain types of PAT ports (they try and group all ports below 1024 together, etc) that from what I gather is fixed in 8.51 <sigh>

Add Nat Rule after "Network Object" NAT Rules

Add Nat Rule after "Network Object" NAT Rules

Should look like this when done, I moved it to the top for clarity.

asa-84-dnat-6

I recommend making this change separate from other work so it can be tested separately, TEST for a couple of hours make sure it is NATting and patting correctly under load is my advice.

Share
  1. #1 by felix001 on January 5th, 2013

    Hey, great article you may also find this article useful as well if you are trying to learn 8.3 onwards…

    http://www.fir3net.com/Cisco-ASA/cisco-asa-83-nat.html

(will not be published)
CAPTCHA Image
*


  1. No trackbacks yet.