NAT syntax - upgrading to 8.3+

aelsbernd — Tue, 12 Mar 2019 01:09:32 GMT

Looking at the changes in NAT syntax after the upgrade.... how would I do the following in 8.3+?

access-list Encrypt extended permit ip 172.10.35.0 255.255.255.0 172.10.18.0 255.255.255.0

access-list Encrypt extended permit ip 172.10.36.0 255.255.255.0 172.10.18.0 255.255.255.0

access-list Encrypt extended permit ip 172.10.37.0 255.255.255.0 172.10.18.0 255.255.255.0

access-list Encrypt extended permit ip 172.10.38.0 255.255.255.0 172.10.18.0 255.255.255.0

access-list Encrypt extended permit ip any 172.10.60.0 255.255.255.0

access-list Encrypt extended permit ip any 172.10.61.0 255.255.255.0

nat (Internal) 0 access-list Encrypt

access-list External_nat0_outbound extended permit ip 10.255.255.0 255.255.255.0 172.10.0.0 255.240.0.0

access-list External_nat0_outbound extended permit ip 10.255.254.0 255.255.254.0 172.10.0.0 255.240.0.0

nat (External) 0 access-list External_nat0_outbound

nat (Internal) 1 10.255.255.0 255.255.255.0

Re: NAT syntax - upgrading to 8.3+

Jouni Forss — Mon, 04 Mar 2013 21:07:40 GMT

Hi,

I think you will need multiple NAT configurations to get these to work

You didnt list all the configurations needed to determine the complete configuration. I will list details under each section

1.)

We dont know behind which interface the destination networks are located....I will presume "External"

First 4 ACL rules

object-group network SOURCE-NETWORKS

network-object 172.10.35.0 255.255.255.0

network-object 172.10.36.0 255.255.255.0

network-object 172.10.37.0 255.255.255.0

network-object 172.10.38.0 255.255.255.0

object-group network REMOTE-NETWORKS

network-object 172.10.18.0 255.255.255.0

nat (Internal,External) source static SOURCE-NETWORKS SOURCE-NETWORKS destination static REMOTE-NETWORKS REMOTE-NETWORKS

2 Bottom rules

object-group REMOTE-NETWORKS-2

network-object 172.10.60.0 255.255.255.0

network-object 172.10.61.0 255.255.255.0

nat (Internal,External) source static any any destination static REMOTE-NETWORKS-2 REMOTE-NETWORKS-2

2.)

We dont know towards which interfaces networks this NAT is supposed to be done. I presume "Internal"

object network NETWORK-172.10.0.0-12

subnet 172.10.0.0 255.240.0.0

object network NETWORK-10.255.254-0-23

subnet 10.255.254.0 255.255.254.0

nat (External,Internal) source static NETWORK-10.255.254.0-23 NETWORK-10.255.254.0-23 destination static NETWORK-172.10.0.0-12 NETWORK-172.10.0.0-12

3.)

You provided only the source address configuration. We dont know if this is Dynamic NAT or Dynamic PAT
Below is a Dynamic PAT using interface "External" IP address

object-group network PAT-SOURCE-ADDRESS

network-object 10.255.255.0 255.255.255.0

nat (Internal,External) after-auto source dynamic PAT-SOURCE-ADDRESS interface

Hope this helps. Please rate the answer if the information was helpfull. Also if this answered your question please mark the question as answered.

Ask more if needed

EDIT: Edited the "outside" to "External"

- Jouni

topic Re: NAT syntax - upgrading to 8.3+ in Network Security

NAT syntax - upgrading to 8.3+

Re: NAT syntax - upgrading to 8.3+