ASA 8.0 & NAT-Control

Hello,

 

I have a FW pair that I will upgrade 8.0 --> 8.3 --> 9.x

Currently, NAT is enforced with nat-control.

If I remove nat-control, can someone confirm that the FWs will continue to follow the NAT rules even though it is no longer enforced?

The goal is to remove unecessary rules in preparation for the upgrade to 9.x (i.e simplify the config). But the FWs must continue to operate as normal.

 

--

 

Is it true that to go sec-lvl:

 

HIGH-LOW

LOW-HIGH

 

Only relevant ACL then need to permit/ deny in interface ACL >8.3

 

Thanks!

 

 

 

Comments

  • Hi Crusty,

    After 8.3 code, the nat-control feature dissappeared. You can understand it as follows:
    - Once a new session is coming to ASA, it  will check if there is an explicit ACL on the interface that permits the traffic. If not, it will check if the packet is coming from a higher security level to a lower security level and in this case, it will permit it.
    - Regarding NAT, as long as ASA matches a NAT rule (if the destination is in routing table or using default route), it will NAT it. Otherwise, the traffic will pass without NAT.

    Please note that when upgrading ASA, the configuration is migrated automatically to match new code.

    Best regards,
    Moustafa

  • If you remove NAT-control, clearly NOTHING will be affected, and yes, at that point NAT no longer controls what traffi can traverse the firewall, at this point security-levels and ACL's will control what traffic can traverse the firewall.

    However, once you remote NAT-control, it means that ideally you should remove many NAT statements which now are useless, and do nothing else but to create confusion.

    Also, as you upgrade to 8.3 and above, even though technically speaking NAT configuration will be automatically migrated to the new NAT, DON'T count on it working, you're better off to migrate the NAT config manually; NAT configuration migration works good ONLY when the existing NAT config on the ASA is clean and specific, which very rarely happens as many engineers touch base with the ASA and add NAT statements without ever considering what's already in there.

  • Cristian.

     

    I did think that switching off nat-control would do nothing but that the NAT rules would still be in effect. Is that correct? The FW must only filter with ACLs essentially.

     

    What I want to do is simplify this upgrade by removing nat-control, then any unnecessary NATing as a part of a prior clean-up.

     

    Also, - I've been going through SEC ATCv4 (I've done RS, SP training with BM in 2013 in London). My current contract focus is ASA - would I get better benefit from a refresher of one of your ASA courses at a lower level? I have AAP as well. I haven't put my hands on ASA since 2011.

     

    What would you recommend?

     

    Thanks for the advice

     

     

     

  • Correct, remote NAT-control and manually remove any NAT statements which were required just because NAT-control was turned on.

    In the end, if you remain with many NAT rules, chances are that the automatic NAT config migration will not work and you'll have to do it manually. 

    As a refresher, watch the CCIE SC ATC for ASA videos, also watch the recorded version of the CCIE SC Bootcamp and just watch the NAT section, it is a lot in there.

Sign In or Register to comment.