Wednesday, 10 February 2016

NAT'ing with IOS 8.3+

With the introduction of IOS 8.3 there were some fundemental changes to the why NAT'ing was done.

One of these changes was that NAT exemptions (NAT 0) no longer existed - rather you are now required to do a Identity NAT instead - depedent on scenerio this can either be done using Auto NAT OR Manual NAT. For example if we wanted to ensure traffic between two networks is ommited from being 'NAT'd' - we could define a Policy Base Identity NAT - e.g:
object network internal_network
object network vpn_network
nat (dmz,outside) source static internal_network internal_network destination static vpn_network vpn_network no-proxy-arp route-lookup
The NAT rule above basically translates the source to itself if the destination matches up - otherwise if the destination is different it simply won't be used.

The way in which ACL's are applied on interfaces has also changed with 8.3 - Pre 8.3 when allowing traffic that was to be NAT'd on an interface you would define an explicit rule to allow the untranslated packet access inbound - for example:

In the event that a packet was destined for your outside interface of which was assigned a public IP of - that had a NAT rule to then forward this packet by NAT translation to an IP ( in your DMZ - you would add an ACL to permit traffic to Although in 8.3 the packet is now untranslated before checking the interface ACL's - this means we would rather add a rule allowing access to the DMZ IP instead! (

Auto NAT is configured within a network object. An advantage of Auto NAT is that it will automatcially organize NAT rules, preventing any collisons. Although this comes at a price of granularity as you are unable to make a translation decision based on destination unlike that of manual NAT.

An example of auto nat that provides dynamic PAT for inside clients out to the internet:

object network inside-subnet
 nat (inside,outside) dynamic interface

Manual NAT (twice NAT) 

An example of manual NAT:

object network inner_ip

object network outside_ip

source static inner_ip outside_ip


Post a Comment