https://community.cisco.com/t5/network-security/need-assistance-with-translating-old-nat-8-2-with-new-nat/m-p/3917000#M25201 Do you have a full tunnel for your vpn users? This means they access internet through the vpn tunnel.<BR /><BR />If so you need a nat statement like:<BR />Let's assume, your vpn pool subnet is 192.168.10.0/24.<BR />Config will looks like:<BR />Object network vpn<BR /> Subnet 192.168.10.0 255.255.255.0<BR /> nat (outside, outside) dynamic interface<BR /><BR />And you need to enable the following command:<BR />same-security-traffic permit intra-interface<BR /> Fri, 30 Aug 2019 23:43:53 GMT Francesco Molino 2019-08-30T23:43:53Z https://community.cisco.com/t5/network-security/need-assistance-with-translating-old-nat-8-2-with-new-nat/m-p/3892358#M25181 <P>Hi I need to translate old NAT statements to New statements and wanna verify if my statements are correct and what needs to be done to verify if all good :</P><P>Old:</P><P>global (outside) 1 interface<BR />nat (outside) 0 access-list MGT-NAT-EXEMPT<BR />nat (inside) 0 access-list WORKER-NAT-EXEMPT<BR />access-group MGT-ACL-IN in interface outside<BR />access-group WORKER-ACL-OUT in interface inside</P><P><BR />no nat (inside) 1 0.0.0.0 0.0.0.0<BR />nat (inside) 1 192.168.31.0 255.255.254.0 tcp 0 0 udp 0</P><P>&nbsp;</P><P>provided :</P><P>MGT-NAT-EXEMPT &amp; WORKER-NAT-EXEMPT are extended ACLs&nbsp; that permit Host A &amp; Network A for each other&nbsp;</P><P>&nbsp;</P><P>how does each statement translate to new ASA versions</P> Thu, 18 Jul 2019 02:02:18 GMT https://community.cisco.com/t5/network-security/need-assistance-with-translating-old-nat-8-2-with-new-nat/m-p/3892358#M25181 Abid7897061 2019-07-18T02:02:18Z https://community.cisco.com/t5/network-security/need-assistance-with-translating-old-nat-8-2-with-new-nat/m-p/3892377#M25184 Hi<BR /><BR />You got few tools which can help you:<BR />- <A href="https://fwm.cisco.com/auth.do;jsessionid=36C436A92196CFA9BDBEFFD5F48B16AF#appstore:1" target="_blank">https://fwm.cisco.com/auth.do;jsessionid=36C436A92196CFA9BDBEFFD5F48B16AF#appstore:1</A><BR /><BR />- <A href="https://www.tunnelsup.com/nat-converter/" target="_blank">https://www.tunnelsup.com/nat-converter/</A> Thu, 18 Jul 2019 03:05:52 GMT https://community.cisco.com/t5/network-security/need-assistance-with-translating-old-nat-8-2-with-new-nat/m-p/3892377#M25184 Francesco Molino 2019-07-18T03:05:52Z https://community.cisco.com/t5/network-security/need-assistance-with-translating-old-nat-8-2-with-new-nat/m-p/3916908#M25193 <P>Hi ,</P><P>&nbsp;</P><P>that tunnels up link is very help ful thanks for that .</P><P>&nbsp;</P><P>currently VPN tunnel is up , i am able to reach internal networks however i cant reach internet .</P><P>&nbsp;</P><P>i think i am missing something&nbsp; here , as per ASDM logs some TCP connections are denied so i suspect below line has not been translated.</P><P>&nbsp;</P><P>nat (inside) 1 10.129.30.0 255.255.254.0&nbsp; tcp 0 0 udp 0 , what would this become in new ASA, tunnels up doesnt conccert this one .</P><P>&nbsp;</P><P>thanks&nbsp;</P><P>&nbsp;</P> Fri, 30 Aug 2019 18:11:44 GMT https://community.cisco.com/t5/network-security/need-assistance-with-translating-old-nat-8-2-with-new-nat/m-p/3916908#M25193 Abid7897061 2019-08-30T18:11:44Z https://community.cisco.com/t5/network-security/need-assistance-with-translating-old-nat-8-2-with-new-nat/m-p/3917000#M25201 Do you have a full tunnel for your vpn users? This means they access internet through the vpn tunnel.<BR /><BR />If so you need a nat statement like:<BR />Let's assume, your vpn pool subnet is 192.168.10.0/24.<BR />Config will looks like:<BR />Object network vpn<BR /> Subnet 192.168.10.0 255.255.255.0<BR /> nat (outside, outside) dynamic interface<BR /><BR />And you need to enable the following command:<BR />same-security-traffic permit intra-interface<BR /> Fri, 30 Aug 2019 23:43:53 GMT https://community.cisco.com/t5/network-security/need-assistance-with-translating-old-nat-8-2-with-new-nat/m-p/3917000#M25201 Francesco Molino 2019-08-30T23:43:53Z