https://community.cisco.com/t5/network-security/nat-conversion/m-p/2725031#M178481 <P>Hi</P><P>Im busy working through converting an 8.2 config to the new nat procedures.</P><P>can someone clarify if my interpretation of this nat is correct please.</P><P>&nbsp;</P><P>8.2</P><P>nat (dmz) 0 10.1.1.0 255.255.255.0</P><P>&nbsp;</P><P>8.4 upwards</P><P>object network OBJ-10.1.1.0-24</P><P>&nbsp; &nbsp; &nbsp;subnet 10.1.1.0 255.255.255.0</P><P>&nbsp;</P><P>nat (dmz,any) after-auto source static&nbsp;OBJ-10.1.1.0-24&nbsp;OBJ-10.1.1.0-24</P><P>&nbsp;</P><P>Im placing it after any other nats in section 3.</P> Tue, 12 Mar 2019 06:39:07 GMT mickyq 2019-03-12T06:39:07Z https://community.cisco.com/t5/network-security/nat-conversion/m-p/2725031#M178481 <P>Hi</P><P>Im busy working through converting an 8.2 config to the new nat procedures.</P><P>can someone clarify if my interpretation of this nat is correct please.</P><P>&nbsp;</P><P>8.2</P><P>nat (dmz) 0 10.1.1.0 255.255.255.0</P><P>&nbsp;</P><P>8.4 upwards</P><P>object network OBJ-10.1.1.0-24</P><P>&nbsp; &nbsp; &nbsp;subnet 10.1.1.0 255.255.255.0</P><P>&nbsp;</P><P>nat (dmz,any) after-auto source static&nbsp;OBJ-10.1.1.0-24&nbsp;OBJ-10.1.1.0-24</P><P>&nbsp;</P><P>Im placing it after any other nats in section 3.</P> Tue, 12 Mar 2019 06:39:07 GMT https://community.cisco.com/t5/network-security/nat-conversion/m-p/2725031#M178481 mickyq 2019-03-12T06:39:07Z https://community.cisco.com/t5/network-security/nat-conversion/m-p/2725032#M178482 <P>Hi,</P><P>The new NAT statement that you are applying is a static translation to its own.</P><P>Please check this link for difference in statements in 8.2 and 8.3 &nbsp;and above :</P><P>https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples</P><P>&nbsp;</P><P>Regards,</P><P>Pulkit Saxena</P> Fri, 25 Sep 2015 15:26:17 GMT https://community.cisco.com/t5/network-security/nat-conversion/m-p/2725032#M178482 Pulkit Saxena 2015-09-25T15:26:17Z https://community.cisco.com/t5/network-security/nat-conversion/m-p/2725033#M178483 <P>Hi</P><P>I haven't worked with NAT pre-8.2, so I'm not really comfortable with it.</P><P>But I think that in pre-8.2 NAT you did identity NAT because of NAT control, meaning you have to have a NAT statement or the traffic wont pass the ASA. That is not the case anymore. So if you want traffic to go from the DMZ to the inside you don't need a NAT statement for it.</P><P>So without knowing how your network looks like, I would say you do not need that NAT rule you are describing.</P> Sat, 26 Sep 2015 19:57:27 GMT https://community.cisco.com/t5/network-security/nat-conversion/m-p/2725033#M178483 Henrik Grankvist 2015-09-26T19:57:27Z https://community.cisco.com/t5/network-security/nat-conversion/m-p/2725034#M178484 <PRE> nat (dmz,any) after-auto source static OBJ-10.1.1.0-24 OBJ-10.1.1.0-24</PRE> <P>&nbsp;</P> <P>It's OK but I prefer section 1 (i. e. without <STRONG>after-auto</STRONG>)</P> <P>&nbsp;</P> <P>However, noNAT / identity NAT statements should usually be restricted to RFC1918 destination subnets. Your example may not enable DMZ hosts' traffic to the Internet to be NATed.</P> <P>&nbsp;</P> Sun, 27 Sep 2015 18:36:45 GMT https://community.cisco.com/t5/network-security/nat-conversion/m-p/2725034#M178484 Peter Koltl 2015-09-27T18:36:45Z https://community.cisco.com/t5/network-security/nat-conversion/m-p/2725035#M178485 <P>Thanks for you replies guys.</P><P>I believe you are all correct.</P><P>What I think ill do is not apply this nat unless I come across any problems. I can then try applying it to section 1.</P><P>&nbsp;</P><P>Thanks again.</P> Mon, 28 Sep 2015 07:37:42 GMT https://community.cisco.com/t5/network-security/nat-conversion/m-p/2725035#M178485 mickyq 2015-09-28T07:37:42Z