topic Thank you Jon for the in Network Security

9.0 NAT Question

peter.williams — Tue, 12 Mar 2019 05:44:11 GMT

Hello,

I am trying to create NAT on a 9.0 ASA, I am trying to convert from PIX 7.2, the sample config is below, I cant figure out what the correct syntax is in the now ASA 9.0 syntax. Can someone please help me?

nat-control
global (Outside) 1 24.55.156.3 netmask 255.255.255.252
global (Outside) 2 24.55.156.4
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 access-list policy_nat_smtp
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list nonatDMZ

PeterYou don't use acls on

Jon Marshall — Sat, 04 Apr 2015 01:11:19 GMT

Peter

You don't use acls on post 8.3 NAT so to help we would need to know what the acls are that you have used in your NAT.

In addition NAT after 8.3 is quite a bit more complicated because it now has an ordering to your NAT rules with different sections and where you put your NAT rules can determine whether everything works or not.

I have only recently started getting up to speed with it and it is a bit of change to say the least 🙂

I'm logging off now as it's late where I am but if you post up the acl details I'm sure someone can help out and i'll check in with the thread over the weekend if I get the chance.

However the reason I posted primarily was to provide a link to a really excellent document on this site which I have learnt most of the new NAT from. It gives examples of each type of NAT but also covers the sections and the ordering which really are important to understand.

It's worth a read to get up to speed on it but like I say if you are in a hurry there are some very clear examples in there for your needs ie. dynamic NAT, NAT exemptions etc. -

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Like I say I'm sure someone will be able to help out as well so not trying to fob you off but you may be able to work it out from the document.

Jon

Thank you Jon for the

peter.williams — Sat, 04 Apr 2015 01:21:54 GMT

Thank you Jon for the information, it really is very confusing to me, I am used to pre- 8.3 code. Below is the ACL to the NAT statement above, any help would be appreciated

access-list inside_outbound_nat0_acl extended permit ip 10.0.0.0 255.255.0.0 10.54.0.0 255.255.0.0

access-list nonatDMZ extended permit ip 192.168.0.0 255.255.255.0 10.0.100.0 255.255.254.0

access-list policy_nat_smtp extended permit tcp host 10.10.0.5 eq smtp any

Thank you Jon for the

peter.williams — Sat, 04 Apr 2015 01:22:01 GMT

Thank you Jon for the information, it really is very confusing to me, I am used to pre- 8.3 code. Below is the ACL to the NAT statement above, any help would be appreciated

access-list inside_outbound_nat0_acl extended permit ip 10.0.0.0 255.255.0.0 10.54.0.0 255.255.0.0

access-list nonatDMZ extended permit ip 192.168.0.0 255.255.255.0 10.0.100.0 255.255.254.0

access-list policy_nat_smtp extended permit tcp host 10.10.0.5 eq smtp any

Hi,object network obj-0.0.0

Vibhor Amrodia — Sat, 04 Apr 2015 02:00:49 GMT

Hi,

object network obj-0.0.0.0
subnet 0.0.0.0
nat (inside,outside) dynamic 24.55.156.3

object network obj-10.0.0.0
subnet 10.0.0.0 255.255.255.0

object network obj-10.54.0.0
subnet 10.54.0.0 255.255.255.0

nat (inside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.54.0.0 obj-10.54.0.0 no-proxy-arp route-lookup

I don't think a policy is required as you are already mapping one private IP to the Public IP

object network obj-10.10.0.5
host 10.10.0.5
nat (inside,outside) static 24.55.156.4

No Nat on the DMZ should not be required anymore as NAT control is disabled now on the ASA 8.3 + code.

Thanks and Regards,

Vibhor Amrodia