In network security, NAT (Network Address Translation) plays a crucial role in enabling seamless communication between networks. Previously, when organizations needed to make two networks fully accessible to one another, they used a NAT configuration known as **Bidirectional NAT** or **NAT Exemption**. This was especially relevant in Cisco ASA devices prior to version 8.3.
After the release of ASA 9.7, there was a significant shift in how NAT configurations were handled. Let's explore the older approach, the reasons behind its evolution, and how we currently configure NAT in the post-9.7 ASA environment to allow full network communication.
---
### 1. **The Old Approach: NAT Exemption (Pre-9.7)**
Before ASA 9.7, the method to allow two networks to communicate freely without modifying their IPs (for example, an internal network communicating with a partner network) was to configure **NAT Exemption**. NAT Exemption allowed traffic to bypass NAT, meaning that packets retained their original source and destination addresses as they traversed the firewall.
This was done using the **static NAT** configuration along with an **Access Control List (ACL)** to permit specific traffic. The process looked something like this:
1. Define an inbound ACL to control what traffic is allowed.
2. Create a static NAT rule for the network-to-network translation.
3. Apply the NAT rule and the ACL to ensure that traffic originating from both sides was allowed through.
This method required several manual steps, was prone to configuration mistakes, and had limitations in terms of flexibility, especially as network demands evolved.
---
### 2. **The New Approach: Object NAT and Twice NAT (Post-9.7)**
In ASA versions post-9.7, Cisco introduced significant changes to the NAT configuration process. The two primary types of NAT in this version are **Object NAT** and **Twice NAT**. The modern approach simplifies the NAT process and provides more flexibility, especially when handling multiple interfaces and complex NAT requirements.
Let’s take a deeper dive into these two methods:
#### a) **Object NAT**
Object NAT is easier to configure and is best suited for simple, one-to-one translations. It is a more streamlined method where NAT is tied directly to network objects. The NAT rule is created within the object, simplifying management.
Example Configuration:
object network LOCAL-NETWORK
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
object network REMOTE-NETWORK
subnet 192.168.1.0 255.255.255.0
Here, **Object NAT** translates the `LOCAL-NETWORK` subnet when traffic leaves the `inside` interface, translating it dynamically to the IP address of the `outside` interface.
#### b) **Twice NAT**
Twice NAT, also known as manual NAT, provides more granular control over NAT policies. This type of NAT allows both source and destination IP addresses to be translated, offering bidirectional NAT functionality in more complex setups. This is the recommended approach for full network-to-network communication.
Unlike Object NAT, Twice NAT is more flexible and supports overlapping subnets, making it useful for complex environments.
Example Configuration:
object network LOCAL-NETWORK
subnet 10.1.1.0 255.255.255.0
object network REMOTE-NETWORK
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static LOCAL-NETWORK LOCAL-NETWORK destination static REMOTE-NETWORK REMOTE-NETWORK
In this **Twice NAT** example, traffic between `LOCAL-NETWORK` and `REMOTE-NETWORK` is allowed, ensuring the full bidirectional accessibility needed between the two networks.
---
### 3. **Key Steps for Full Network-to-Network Communication (Post-9.7)**
To configure full communication between two networks using modern NAT methods on ASA post-9.7, follow these steps:
#### Step 1: Define Network Objects
Define the internal and external networks as objects. This helps simplify the NAT process, as you’re working with clear, named entities.
object network LOCAL-NETWORK
subnet 10.1.1.0 255.255.255.0
object network REMOTE-NETWORK
subnet 192.168.1.0 255.255.255.0
#### Step 2: Configure Twice NAT for Full Accessibility
Using Twice NAT, configure static source and destination translations between the networks to allow for full communication.
nat (inside,outside) source static LOCAL-NETWORK LOCAL-NETWORK destination static REMOTE-NETWORK REMOTE-NETWORK
This command essentially tells the firewall to allow bidirectional communication between the two networks without altering their IP addresses.
#### Step 3: Set Up Inbound Access Control Lists (ACL)
To allow the actual traffic through the firewall, you will need to configure ACLs. Post-9.7, the inbound ACLs are still crucial for security purposes, as they define what traffic can pass through.
access-list OUTSIDE_IN extended permit ip object LOCAL-NETWORK object REMOTE-NETWORK
access-list OUTSIDE_IN extended permit ip object REMOTE-NETWORK object LOCAL-NETWORK
This example ACL allows IP traffic to flow between `LOCAL-NETWORK` and `REMOTE-NETWORK` in both directions.
#### Step 4: Apply the ACL to the Outside Interface
After defining the ACL, it needs to be applied to the appropriate interface (typically, the outside interface).
access-group OUTSIDE_IN in interface outside
---
### 4. **Benefits of the New Approach**
Post-9.7 NAT brings several advantages over the old methods:
- **Simplified Configuration:** With Object NAT, you can define NAT policies directly within network objects, reducing complexity.
- **Increased Flexibility:** Twice NAT allows for more sophisticated NAT rules that can handle overlapping subnets, multiple interfaces, and more complex traffic patterns.
- **Granular Control:** You can specify both source and destination translations, providing precise control over how traffic is handled between different networks.
- **Better Security:** By leveraging ACLs and security levels alongside the NAT configuration, traffic can be more securely managed and filtered.
---
### Conclusion
The transition to post-9.7 NAT methods in Cisco ASA has significantly improved the way we handle network-to-network communication. Object NAT simplifies common use cases, while Twice NAT offers the flexibility required for more complex setups, such as full bidirectional communication between two networks. These changes provide network administrators with powerful tools to ensure both seamless communication and robust security.
If you're upgrading from an older ASA version or working on a new deployment, leveraging the post-9.7 NAT architecture will streamline your operations, reduce configuration errors, and give you more control over how traffic flows between your networks.
---
By following these best practices, you can easily configure NAT on Cisco ASA devices post-9.7, allowing two networks to fully communicate with each other while maintaining high security standards.
