topic Will that work? Should I add in Network Security

ASA 9.x NAT Configuration

cyoung1981 — Tue, 12 Mar 2019 06:15:10 GMT

Hello,

I'm looking for a little help. I have a new ASA running version 9 and need to get my NAT statements back on. I see that there is quite a bit of difference between the way I know how to do NAT and the changes implemented in version 8.3. I'm a little confused with what I read. Are there no longer any global statements? I need to convert the following lines, any help would be greatly appreciated.

global (outside) 1 10.10.144.51-10.10.144.254 netmask 255.255.255.0
global (outside) 1 10.10.144.47 netmask 255.255.255.255
global (outside) 1 10.10.144.46 netmask 255.255.255.255
global (outside) 2 10.10.144.50 netmask 255.0.0.0

global (outside) 3 10.10.144.45 netmask 255.0.0.0
global (outside) 4 10.10.144.44 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 10.10.145.0 255.255.255.0
nat (inside) 0 10.10.146.0 255.255.255.0
nat (inside) 0 10.10.147.0 255.255.255.0
nat (inside) 0 10.10.148.0 255.255.255.0
nat (inside) 0 10.10.149.0 255.255.255.0
nat (inside) 0 10.10.150.0 255.255.255.0
nat (inside) 3 guest 255.255.255.0
nat (inside) 0 192.191.90.0 255.255.255.0
nat (inside) 2 academy 255.255.254.0
nat (inside) 4 mobile 255.255.252.0
nat (inside) 1 0.0.0.0 0.0.0.0

I know I now have to use the network objects command to break this out and apply nat statements. The part I don't get is how? Do I make network objects using my old global statements and then apply the nat? So confused!

First off, why do you have

Marius Gunnerud — Sat, 11 Jul 2015 18:02:30 GMT

First off, why do you have som many Global 1 NAT statements? are some of those old?

The part I don't get is how? Do I make network objects using my old global statements and then apply the nat? So confused!

For the dynamic NAT statements used with global, you would create a network object for nat (inside) 1 0.0.0.0 0.0.0.0 and then nest a NAT statement under that object. For example:

object network ANY
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic 10.10.144.47

For NAT 0 / NAT exempt you would use twice NAT where you specify the source IP, translated source IP, destination IP, and translated destination IP. So for a VPN twice NAT statement from 10.10.10.0/24 to 11.11.11.0/24 would look like this:

object network LOCAL
subnet 10.10.10.0 255.255.255.0

object network REMOTE
subnet 11.11.11.0 255.255.255.0

nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE

Please remember to select a correct answer and rate helpful posts

Ok, so for my global

cyoung1981 — Sat, 11 Jul 2015 18:21:09 GMT

Ok, so for my global statements I could use this ?

object network GLOBAL_NAT
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic 10.10.144.47
nat (inside,outside) dynamic 10.10.144.47
nat (inside,outside) dynamic 10.10.144.46
nat (inside,outside) dynamic 10.10.144.45
nat (inside,outside) dynamic 10.10.144.44

I'm also assuming global (outside) 1 10.10.144.51-10.10.144.254 netmask 255.255.255.0 would need to be broken down into individual lines?

Then I'm still left with:

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 10.10.145.0 255.255.255.0
nat (inside) 0 10.10.146.0 255.255.255.0
nat (inside) 0 10.10.147.0 255.255.255.0
nat (inside) 0 10.10.148.0 255.255.255.0
nat (inside) 0 10.10.149.0 255.255.255.0
nat (inside) 0 10.10.150.0 255.255.255.0
nat (inside) 3 guest 255.255.255.0
nat (inside) 0 192.191.90.0 255.255.255.0
nat (inside) 2 academy 255.255.254.0
nat (inside) 4 mobile 255.255.252.0
nat (inside) 1 0.0.0.0 0.0.0.0

Would I then just create an object for each nat # (0, 1, 2, 3, 4) and apply the statements to each? And would it still use the subnet 0.0.0.0 0.0.0.0 since there aren't any specific translations configured?

Sorry if any of these questions seem dumb, I'm still learning.

Ok, so for my global

Marius Gunnerud — Sat, 11 Jul 2015 18:54:44 GMT

Ok, so for my global statements I could use this ?

No, each NAT statement would overwrite the previous so you would need to configure seperate objects for each NAT statement. But why are you doing this? Traffic would only end up using one of these statements. You would need to be more specific with your object group subnet.

I'm also assuming global (outside) 1 10.10.144.51-10.10.144.254 netmask 255.255.255.0 would need to be broken down into individual lines?

No, you would just create a range in the network object like this:

object network TEST
range 10.10.155.51 10.10.144.254

It really depends if the NAT 0 statements are just for traffic that is going between ASA interfaces. If that is the case then this is no longer required and is obsolete. NAT 2, 3, and 4 will be fine as they seem to be specific source addresses that are being translated. The only issue you will run into is the NAT 1 statements as only one of these will end up being matched for dynamic NAT. What is the purpose of having all those global 1 NAT statments?

Please remember to select a correct answer and rate helpful posts

Truth be told, I'm not sure

cyoung1981 — Sat, 11 Jul 2015 18:59:16 GMT

Truth be told, I'm not sure of the purpose. I pulled the config off the old device and didn't want to change anything as the person who did the config is no longer at the company. So I didn't want to break anything when I install the new device.

I think I get all that now.

cyoung1981 — Sat, 11 Jul 2015 20:09:58 GMT

I think I get all that now. But one more question. I have some connections to other sites that have their own firewall, but we provide internet for. We have nat entries like this...

static (inside,outside) 10.10.10.10 10.10.10.10 netmask 255.255.255.255

Converting that to the new nat would be like ....

object network OBJ-10.10.10.10
host 10.10.10.10
object network OBJ-10.10.10.10
host 10.10.10.10
nat (inside,outside) source static OBJ-10.10.10.10 OBJ-10.10.10.10

Will that work? Should I add anything to the end?

Will that work? Should I add

Marius Gunnerud — Sat, 11 Jul 2015 21:06:58 GMT

Will that work? Should I add anything to the end?

That will create a manual NAT statement and will translate 10.10.10.10 to 10.10.10.10 But yes, this will be the same as the previous NAT statement.

Please remember to select a correct answer and rate helpful posts

Last thing... The old nat

cyoung1981 — Sat, 11 Jul 2015 21:30:55 GMT

Last thing... The old nat config has names in the statements.

nat (inside) 3 guest 255.255.255.0
nat (inside) 2 academy 255.255.254.0
nat (inside) 4 mobile 255.255.252.0

those names are defined in the config like this

name 192.168.252.0 academy description Academy Range
name 192.168.192.0 guest description quest
name 192.168.248.0 mobiledescription mobile

And nat 2,3,4 are this...

global (outside) 2 10.10.144.50 netmask 255.0.0.0
global (outside) 3 10.10.144.45 netmask 255.0.0.0
global (outside) 4 10.10.144.44 netmask 255.0.0.0

Would this be the correct configuration....

Object network mobile_inside
subnet 192.168.248.0 255.255.0.0
!
object network mobile_outside
subnet 10.10.144.44 255.0.0.0
nat (inside,outside) source static mobile_inside mobile_outside

Not sure if static is right here though, since it was not on the old.

I would suggest doing these

Marius Gunnerud — Sun, 12 Jul 2015 20:04:19 GMT

I would suggest doing these NATs as follows

object network mobile_outside
subnet 10.10.144.44 255.0.0.0
nat (inside,outside) static mobile_inside mobile_outside

This will place the NAT statements in object NAT (aka section 2) instead of manual NAT. Each time you start specifying source you are placing the NAT statment in manual NAT. So these statements will be matched top down and before object NAT. If you specify "after-auto" this will place the NAT statment in manual NAT after object NAT. So if you do this manual NAT and object NAT will be matched first before trying to match on the after-auto.

Please remember to select a correct answer and rate helpful posts