topic Command Changes From 7.2 To 8.6 in Network Security

Command Changes From 7.2 To 8.6

andyoww — Tue, 12 Mar 2019 01:12:52 GMT

I'm coming from a 5505/5510 ASA to a 5512x.

I see the following 7.2 commands are now set with the NAT command in 8.6:

-------------begin 7.2 commands---------------------

global (outside) 1 interface
global (inside) 10 interface
global (wireless) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.3.0 255.255.255.0
static (inside,outside) tcp interface www 192.168.3.114 www netmask 255.255.255.255
static (inside,outside) udp interface 5008 192.168.3.117 5008 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.3.101 3389 netmask 255.255.255.255
static (inside,outside) tcp interface h323 192.168.3.118 h323 netmask 255.255.255.255

--------------end 7.2 commands----------------------

While I would love if somebody would change these into correct commands for 8.6, I actually want to learn what I need to do so I can better understand this.

The documentation for the NAT command in 8.6 is very confusing.

Can somebody break this down for me step by step?

Keep in mind I still have the acl entries for the above commands as well:

-------------begin acl example-------------------

access-list outside_acl extended permit tcp any host 192.168.3.114 eq www

--------------end acl example--------------------

Will I need to change/delete these?

Thanks in advance.

Command Changes From 7.2 To 8.6

Jouni Forss — Mon, 11 Mar 2013 21:05:19 GMT

Hi,

We dont have all the information we need or there are some unused NAT configurations above

Unused or Partial Information

global (inside) 10 interface

Doesnt have matching ID 10 "nat" line

nat (inside) 0 access-list nonat

We dont know what the ACL "nonat" contains

Used

PAT CONFIGURATIONS

Old Format

global (outside) 1 interface

global (wireless) 1 interface

nat (inside) 1 192.168.3.0 255.255.255.0

New Format

object-group network INSIDE-PAT-SOURCE

network-object 192.168.3.0 255.255.255.0

nat (inside,outside) after-auto source dynamic INSIDE-PAT-SOURCE interface

nat (inside,wireless) after-auto source dynamic INSIDE-PAT-SOURCE interface

PORT FORWARD / STATIC PAT

Old Format

static (inside,outside) tcp interface www 192.168.3.114 www netmask 255.255.255.255

static (inside,outside) udp interface 5008 192.168.3.117 5008 netmask 255.255.255.255

static (inside,outside) tcp interface 3390 192.168.3.101 3389 netmask 255.255.255.255

static (inside,outside) tcp interface h323 192.168.3.118 h323 netmask 255.255.255.255

New Format

object network STATIC-PAT-TCP80

host 192.168.3.114

nat (inside,outside) static interface service tcp 80 80

object network STATIC-PAT-UDP-5008

host 192.168.3.117

nat (inside,outside) static interface service udp 5008 5008

object network STATIC-PAT-TCP3389

host 192.168.3.101

nat (inside,outside) static interface service tcp 3389 3389

object network STATIC-PAT-TCP1720

host 192.168.3.118

nat (inside,outside) static interface service tcp 1720 1720

access-list outside_acl permit tcp any object STATIC-PAT-TCP80 eq 80

access-list outside_acl permit tcp any object STATIC-PAT-UDP5008 eq 5008

access-list outside_acl permit tcp any object STATIC-PAT-TCP3389 eq 3389

access-list outside_acl permit tcp any object STATIC-PAT-TCP1720 eq 1720

I wont go into detail here. Be sure to check the Document section of the Firewall forum section in the coming week or two. I am writing a document about the new NAT format of 8.3 (and newer) which should contain basic information related to different common NAT configurations.

Please rate if the information was helpfull. Mark the question as answered if it answered your question.

Naturally ask more if needed.

- Jouni

Command Changes From 7.2 To 8.6

andyoww — Mon, 11 Mar 2013 21:23:02 GMT

You're right, I don't see anything in my config for the

global (inside) 10 interface

Guess I don't need it?

nonat acl:

access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list nonat extended permit ip any 192.168.50.0 255.255.255.0

access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0

Your examples make this a little easier to understand.

I'm certainly going to check out your document.

One last question with your above post.

I'm actually translating 3390 on the outside to 3389 on the inside.

So would I only need to change:

nat (inside,outside) static interface service tcp 3390 3389

and

access-list outside_acl permit tcp any object STATIC-PAT-TCP3389 eq 3390

Correct?

Seeing this makes me wonder if I'll need to change all of my acl's, but I'm going to try it with what I have first.

Thanks a bunch.

Command Changes From 7.2 To 8.6

Jouni Forss — Mon, 11 Mar 2013 21:30:25 GMT

Hi,

In the NAT configuration line

object network

host

nat (inside,outside) static interface service tcp/udp

In the ACL you use the value in the same way that you know use the of the host also and NOT the NAT IP.

- Jouni

Command Changes From 7.2 To 8.6

Jouni Forss — Mon, 11 Mar 2013 21:37:24 GMT

Oh and the NAT0 configuration,

Old Format

access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list nonat extended permit ip any 192.168.50.0 255.255.255.0

access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 0 access-list nonat

New Format

object network LOCAL-LAN

subnet 192.168.3.0 255.255.255.0

object-group REMOTE-NETWORKS

network-object 192.168.5.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

network-object 192.168.50.0 255.255.255.0

nat (inside,outside) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-NETWORKS REMOTE-NETWORKS

If you actually have some more networks on the "inside" (other than 192.168.3.0/24) which warrant the use of "any" on the one ACL line above then you would probably need other configuration line for the NAT and/or tweaking to the above rule.

- Jouni

Command Changes From 7.2 To 8.6

andyoww — Mon, 11 Mar 2013 21:41:55 GMT

So:

object network

and

object-group

The section is anything I want to choose?

Of course, I would always make sure this is half-way descriptive for easier troubleshooting.

Thanks again.

Command Changes From 7.2 To 8.6

Jouni Forss — Mon, 11 Mar 2013 21:46:14 GMT

Yes, the name can be what you choose.

Also you can use a command later to rename the object "on the fly" so to speak.

"object network OBJECT rename NEW-OBJECT"

Please do rate the replys/posts if you have found the information helpfull.

- Jouni

Command Changes From 7.2 To 8.6

andyoww — Wed, 13 Mar 2013 22:29:44 GMT

One correction from above.

object network STATIC-PAT-UDP-5008

I took out the dash between UDP and 5008 for standardization. (It caused an error when trying to call it later in the ACL.)

Great stuff.

I put these changes in my config & the ASA went in with one little problem.

192.168.3.0 is the LAN behind this ASA.

192.168.10.0 is the LAN behind a remote ASA.

From the 192.168.3.0 LAN and ASA, I am able to ping anything on the 192.168.10.0 network. That's GOOD.

From the 192.168.10.0 LAN and ASA, I am UNABLE to ping anything on the 192.168.3.0 network. That's BAD.

I realize I left a ton of my configuration off of here, but any ideas what might be causing this?

The only applied ACL's I see in my old config are:

nat (inside) 0 access-list nonat

access-group outside_acl in interface outside

yet I have quite a few lines for four other ACL's:

access-list Local_LAN_Access remark VPN Client Local LAN Access

access-list Local_LAN_Access standard permit host 0.0.0.0

access-list vpn_split_tunnel standard permit 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip interface inside 192.168.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0

Not realizing they were not being applied, I copy & pasted them to the new ASA.

If they are not being applied, it wouldn't really matter how many lines are actually there though, right?

The ASA isn't actually using them, correct?

Command Changes From 7.2 To 8.6

Jouni Forss — Thu, 14 Mar 2013 08:37:06 GMT

Hi,

Without seing complete configurations I could only guess.

Based on the names of the ACLs the 2 first would be related to VPN Client configurations which are usually attached under "group-policy" configurations. Third ACL seems to be a NAT0 ACL but is nothing like the one discussed above. The last ACL seems to be a ACL to define traffic/networks for a L2L VPN connection.

I guess unused ACLs in this case dont really matter but I prefer to remove unused ACLs so they dont cause unnecesary confusion and clutter up the configuration otherwise.

- Jouni

Re: Command Changes From 7.2 To 8.6

andyoww — Thu, 14 Mar 2013 15:03:07 GMT

UPDATED (I posted the wrong one earlier)

OK.

I'll post the entire config.

Makes me so angry when I go through these & find commands & such that should not be there.

!
hostname ASANAME
domain-name DOMAINNAME
enable password PASSWORD encrypted
passwd PASSWORD encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address IPADDRESS 255.255.255.252
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif wireless
security-level 100
ip address 192.168.60.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone cst -6
clock summer-time cst recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.3.115
domain-name DOMAINNAME
same-security-traffic permit inter-interface
object network STATIC-PAT-TCP80
host 192.168.3.114
object network STATIC-PAT-UDP5008
host 192.168.3.117
object network STATIC-PAT-TCP3389
host 192.168.3.101
object network STATIC-PAT-TCP1720
host 192.168.3.118
object network LOCAL-LAN
subnet 192.168.3.0 255.255.255.0
object-group network INSIDE-PAT-SOURCE
network-object 192.168.3.0 255.255.255.0
object-group network REMOTE-NETWORKS
network-object 192.168.5.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.50.0 255.255.255.0
access-list outside_acl extended permit tcp any object STATIC-PAT-TCP80 eq www
access-list outside_acl extended permit tcp any object STATIC-PAT-UDP5008 eq 5008
access-list outside_acl extended permit tcp any object STATIC-PAT-TCP3389 eq 3389
access-list outside_acl extended permit tcp any object STATIC-PAT-TCP1720 eq h323
access-list outside_acl extended permit udp any host 192.168.3.117 eq 5008
access-list outside_acl extended permit tcp any host 192.168.3.114 eq www
access-list outside_acl extended permit udp any host 192.168.3.115 eq ntp
access-list outside_acl extended deny ip host DENIEDIP any
access-list outside_acl extended deny tcp any any eq 161
access-list outside_acl extended deny udp any any eq snmp
access-list outside_acl extended deny tcp any any eq telnet
access-list outside_acl extended permit ip any any
access-list outside_acl extended permit tcp any interface outside eq 3390
access-list outside_acl extended permit tcp any interface outside eq h323
access-list outside_acl extended permit udp any host 192.168.3.118 eq 1718
access-list outside_acl extended permit udp any host 192.168.3.118 eq 1719
access-list outside_acl extended permit udp any host 192.168.3.118 eq 1720
access-list outside_acl extended permit icmp host 192.168.3.118 any
access-list outside_acl extended permit ip host 192.168.3.118 any
access-list Local_LAN_Access remark VPN Client Local LAN Access
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list nonat extended permit ip any 192.168.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpn_split_tunnel standard permit 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip interface inside 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging console emergencies
logging trap notifications
logging asdm informational
logging host inside 192.168.3.116
mtu outside 1500
mtu inside 1500
mtu wireless 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-NETWORKS REMOTE-NETWORKS
object network STATIC-PAT-TCP80
nat (inside,outside) static interface service tcp www www
object network STATIC-PAT-UDP5008
nat (inside,outside) static interface service udp 5008 5008
object network STATIC-PAT-TCP3389
nat (inside,outside) static interface service tcp 3389 3390
object network STATIC-PAT-TCP1720
nat (inside,outside) static interface service tcp h323 h323
nat (inside,outside) after-auto source dynamic INSIDE-PAT-SOURCE interface
nat (inside,wireless) after-auto source dynamic INSIDE-PAT-SOURCE interface
access-group outside_acl in interface outside
route wireless 192.168.10.0 255.255.255.0 192.168.60.6 1 track 1
route wireless 192.168.5.0 255.255.255.0 192.168.60.6 1 track 1
route outside 0.0.0.0 0.0.0.0 NEXTHOPIP 254
route inside 10.113.255.210 255.255.255.255 192.168.3.200 1
route inside 10.113.255.212 255.255.255.255 192.168.3.200 1
route inside 10.113.255.231 255.255.255.255 192.168.3.200 1
route inside 10.113.255.250 255.255.255.255 192.168.3.200 1
route outside 192.168.10.0 255.255.255.0 NEXTHOPIP 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 2:35:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:30
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.3.0 255.255.255.0 inside
http 192.168.10.105 255.255.255.255 wireless
http 192.168.10.106 255.255.255.255 wireless
http 192.168.10.109 255.255.255.255 wireless
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sla monitor 123
type echo protocol ipIcmpEcho 192.168.60.6 interface wireless
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec ikev1 transform-set MYSET esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map MYMAP 10 set ikev1 transform-set MYSET
crypto dynamic-map MYMAP 10 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer VPNPEERIP
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic MYMAP
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp nat-traversal 30
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
telnet timeout 5
ssh scopy enable
ssh SOMEBODY'SIP 255.255.255.255 outside
ssh SOMEBODY'SIP 255.255.255.240 outside
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 50
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.29 source outside
ntp server 129.6.15.28 source outside prefer
ssl encryption des-sha1
webvpn
group-policy DfltGrpPolicy attributes
dns-server value 192.168.3.115
vpn-simultaneous-logins 18
vpn-idle-timeout 1
vpn-tunnel-protocol ikev1 ssl-clientless
password-storage enable
ip-comp enable
ipsec-udp enable
default-domain value DOMAINNAME
user-authentication enable
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
anyconnect ssl keepalive none
anyconnect dpd-interval client none
anyconnect dpd-interval gateway none
anyconnect ssl compression deflate
customization value DfltCustomization
group-policy MYPOLICY internal
group-policy MYPOLICY attributes
vpn-idle-timeout none
vpn-session-timeout none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_split_tunnel
default-domain value DOMAINNAME
username USER1 password PASSWORD encrypted
username USER1 attributes
vpn-group-policy MYPOLICY
vpn-framed-ip-address 192.168.50.2 255.255.255.0
--------------SNIP FOR USER ACCOUNTS----------------
----------------------UNSNIP------------------------

tunnel-group MYVPN type remote-access
tunnel-group MYVPN ipsec-attributes
ikev1 pre-shared-key MYKEY
tunnel-group SOMEBODY'SIP type ipsec-l2l
tunnel-group SOMEBODY'SIP ipsec-attributes
ikev1 pre-shared-key MYKEY
class-map class_ftp
match port tcp eq ftp-data
class-map inspection_default
match default-inspection-traffic
class-map TELNET-PORT
match port tcp eq telnet
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns migrated_dns_map_1
inspect pptp
inspect icmp
class class_ftp
inspect ftp
class TELNET-PORT
set connection timeout idle 10:00:00
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Command Changes From 7.2 To 8.6

andyoww — Mon, 18 Mar 2013 18:40:13 GMT

I was able to get TAC to help.

This is what we (he) changed:

no nat (inside,wireless) after-auto source dynamic INSIDE-PAT-SOURCE interface

nat (inside,wireless) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-NETWORKS REMOTE-NETWORKS

It is working fine now!