Hello Joe,
So I am fairly new to 8.3+ myself but have been doing some reading/research and this is what I have found out. There are actually 3 ways to do NAT in the newer code - 1. Manual NAT, 2. Auto Object NAT and 3. Manual NAT after Auto Object NAT or what some people call Twice NAT. If you do a "show NAT" and you have all 3 types configured you will see which section each NAT entry falls under. So Auto Object NAT is where you create an object and then in the object itself you configure NAT which I believe would be the recommended way to configure NAT. Auto Object NAT is listed in Section 2. Now since there is no longer the concept of a NAT Exempt the way to configure Identity NAT for VPN would be with Manual NAT. Manual NAT is listed in section 1 and since it is before Auto Object NAT the firewall will process this rule first. Manual NAT after Auto Object is where you can define a NAT for not only the source address but the destination address as well and that is why some people refer to this option as "double NAT or twice NAT". I really liked the older way as well but the more I play with 8.4+ the more benefits I realize and the easier it gets to understand. So take this as a scenario - You have a 6 interface firewall and need to configure access from 4 DMZ interfaces to the inside interface. The old way would force you to create a NAT entry for each interface and then multiple ACL's. Now you can create an Object and define a NAT statement from "Any to Any" interface and just create the 1 object and then create a Global ACL and truly minimize the configuration tasks. Hopefully this helps. Thank you, James From: [email protected] [mailto:[email protected]] On Behalf Of Joe Astorino Sent: Tuesday, June 18, 2013 10:14 AM To: OSL Security Subject: [OSL | CCIE_Security] ASA 8.4 dynamic PAT Hi guys, Just starting down the road of the new ASA NAT. I have a simple question. I see there are 2 ways you can do dynamic PAT 1) Auto NAT object network obj_any subnet 0.0.0.0 0.0.0.0 nat (inside,outside) dynamic interface 2) Manual NAT nat (inside,outside) source dynamic any interface Any preference as to which one and why? Most examples I see are referencing the auto NAT method for this purpose. I know manual NAT is ahead of auto NAT from a precedence stand point, just wondering why one might use one or the other? Sigh...I miss the old way -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _____ No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.3345 / Virus Database: 3199/6419 - Release Date: 06/17/13
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
