topic Cisco ASA 5505 V8.3 NAT config in Network Security

Cisco ASA 5505 V8.3 NAT config

smith606306 — Tue, 12 Mar 2019 01:51:08 GMT

Hi,

Can anyone tell me what the new command is for NAT in version 8.3?

The config i have is from Version 7.2 and doesnt work on 8.3

global (outside) 1 interface

nat (inside) 1 10.123.74.128 255.255.255.128

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 86.35.156.**

Cisco ASA 5505 V8.3 NAT config

Jouni Forss — Thu, 30 May 2013 09:52:48 GMT

Hi,

Basically the old NAT configuration already contains one useless line in it. It basically does Dynamic PAT and accepts any source address from the "inside" interface. If you want to follow that logic in the new software you can use

nat (inside,outside) after-auto source dynamic any interface

If you wanted to define the source addresses for the Dynamic PAT then you could use this variation of the configuration

object-group network DEFAULT-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

If you want to have a look at some information about the new 8.3+ NAT format have a look at the document I wrote here on the CSC

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

Remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

Cisco ASA 5505 V8.3 NAT config

smith606306 — Thu, 30 May 2013 10:23:42 GMT

Many thanks

What I want to achieve is this

BT line ----------------ADSL modem (bridge mode)---------------------ASA

My config so far is below

Am i on the right track?

interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group PPPOE-GROUP
ip address pppoe setroute

!
interface Vlan325
nameif inside
security-level 100
ip address 10.123.74.254 255.255.255.128
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
description Outside interface to BT router
switchport access vlan 2
!
interface Ethernet0/2
description Inside interface to Core 2
switchport access vlan 325
!

vpdn group PPPOE-GROUP request dialout pppoe

vpdn group PPPOE-GROUP localname USERNAME

vpdn group PPPOE-GROUP ppp authentication pap

vpdn username USERNAME password PASSWORD store-local

!
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
access-list inside_mpc extended permit tcp any any eq 8080
access-list inside_mpc extended permit tcp any any eq www
access-list dhcp-acl extended permit udp any any range bootps bootpc
mtu outside 1492

mtu inside 1500

nat (inside,outside) after-auto source dynamic any interface

dhcpd dns 208.67.222.222 208.67.220.220
!
dhcpd address 10.123.74.130-10.123.74.239 inside
dhcpd enable inside
!

ntp server 150.101.254.110 source outside prefer

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class BlockDomainsClass
reset log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect ipsec-pass-thru
inspect icmp
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
!

Cisco ASA 5505 V8.3 NAT config

nkarthikeyan — Thu, 30 May 2013 10:50:29 GMT

object network outbound

subnet 10.123.74.128 255.255.255.128

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

So every traffc hits the fw will get translated to outside interface and goes out for internet

If you add the above nat statement on to your firewall.... you will get internet access....

I hope you have missed the access-group to bind the ACL to your interface....

Hope this helps

Regards

Karthik

Cisco ASA 5505 V8.3 NAT config

Jouni Forss — Thu, 30 May 2013 10:53:00 GMT

Hi,

I dont see a problem with the configuration.

Though I have never had to configure the connection to Internet as you have done.

Your ASA should get the IP address from the ISP and also the default route from the looks of it.

The NAT configurations should be ok and work with the same logic as your previous Dynamic PAT configuration even though we made it simpler.

- Jouni

Cisco ASA 5505 V8.3 NAT config

Jouni Forss — Thu, 30 May 2013 10:54:54 GMT

Hi,

"object network" cant contain 2 "subnet" statements. It can only hold one.

Furthermore specifying a specific network when you are also specifying "any" has no real use. Its just simpler to accept all source addresses OR specify all the source networks separately if you really want to control which network should hit the translation rule.

- Jouni

Cisco ASA 5505 V8.3 NAT config

nkarthikeyan — Thu, 30 May 2013 11:02:44 GMT

Hi Jouni,

I agree with you... i have just converted wat he was requested.... but still he can have PAT translations seperately for specifc subnet and others.....

he just need to add the object-group instead of object....

or to make simple...

object network outbound

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

Thanks for notifying the mistake...

Regards

Karthik

Cisco ASA 5505 V8.3 NAT config

smith606306 — Thu, 30 May 2013 11:18:17 GMT

Thanks.

are you talking about the ACL access-list inside_mpc ?

If so i havent assigned it to an interface

Cisco ASA 5505 V8.3 NAT config

Jouni Forss — Thu, 30 May 2013 11:39:58 GMT

You dont need interface ACLs at this point.

When your interfaces dont have ACLs attached to them with the "access-group" command then the "security-level" value of the interface determines which traffic is allowed.

The default rule is that hosts behind the higher value interface can access anything behind a lower security level interface.

So as you can see the "inside" is 100 and the "outside" is 0. So hosts behind "inside" can connect anywhere on the "outside" without configuring any ACL on the interfaces.

If you need to restrict some traffic from "inside" to "outside" then you will need to confiure an interface ACL. Also if you were to allow traffic from "outside" to some server on the "inside" you would both need to configure Static PAT and allow the traffic on an ACL attached to the "outside" interface.

But at the moment you dont need to configure any ACLs to have Internet working.

- Jouni

Cisco ASA 5505 V8.3 NAT config

smith606306 — Fri, 31 May 2013 14:18:56 GMT

i placed the BT router in bridge mode connected to the ASA but does not work.

I get the following message>

Failed to locate egress interface for UDP from inside:

Cisco ASA 5505 V8.3 NAT config

Jouni Forss — Fri, 31 May 2013 14:22:18 GMT

Hi,

Sounds to me that the "outside" interface either doesnt have an IP address or there is just a routing problem?

You can use the command "show ip add" to view the IP addresses currently on the interfaces of the ASA

- Jouni

Cisco ASA 5505 V8.3 NAT config

smith606306 — Fri, 31 May 2013 14:37:45 GMT

no it hasn/t got an ip address.

interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group PPPOE-GROUP
ip address pppoe setroute

vpdn group PPPOE-GROUP request dialout pppoe

vpdn group PPPOE-GROUP localname C****0@hgbtclick.com

vpdn group PPPOE-GROUP ppp authentication pap

vpdn username C****@hgbtclick.com password hanover1 store-local

should i change the ppp authentication to mschap?

Cisco ASA 5505 V8.3 NAT config

Jouni Forss — Fri, 31 May 2013 14:41:04 GMT

Hi,

Are you saying that with "show ip add" command you dont see any IP address in the listing?

If there is, then check what the "show route" command output shows. You should have a default route towards the ISP.

I have no real idea about the configuration type you are using for the "outside" connection as I have never had to use it myself. I would imagine the needed information would be provided by the ISP.

- Jouni