Cisco ASA 8.3 NAT

Cisco ASA Version 8.3 (and now 8.4) has been out and shipping for quite some time. Based around our own experiences, and some feedback from customers we’ve been researching.

The following link provides a really helpful overview of what has changed in version 8.3 and higher.

http://www.thenetworker.co.uk/blog/?p=1

It’s fair to say that NAT in 8.3 does cause confusion and is a radical departure from what was in place previously. In our minds, it’s much more aligned to the way that Checkpoint perform NAT on their platforms. It is also worth pointing out that in our experience, migrating from 8.2 to 8.3 does not work smoothly, or in some cases at all, and you will almost definitely need to rebuild your NAT from scratch at version 8.3. If you’re planning an upgrade to 8.3 or 8.4 please bear it in mind, and that you may need to completely rework your NAT. For most people this is not a massive issue as typically you may have a couple of static NAT entries, some exclusions for VPN traffic, and a dynamic interface based statement to catch everything else. However, if you have anything a little more complex, like policy NAT make sure you test and test again to ensure it’s all working ok.

Barry Hesk

Leave a Reply