Re: ASA 8.x to 9.2 convert NAT with ports tcp udp

rgutierrez15 · ‎04-09-2019

Hello Everyone,

I have a doubt about a nat rule from an old ASA to a new one

There is a NAT rule that i really don´t understand (I am a beginner in security)

global (outside) 110 Mail_Server netmask 255.255.255.224

nat (dmz) 110 dmz.srv.Mail 255.255.255.255 tcp 500 100 udp 50

what i can barely understand is that traffic coming from the dmz is translated to the IP range at the outside using the ports TCP 500, 100 and udp 50 right?

I am undestanding ok?

and, then, how can i translate to the version 9.2?

I really really will appreciate your help!

Thanks in Advance!

Francesco Molino · ‎04-09-2019

Hi

Values associated with tcp and udp are max connections for the local-host with embryonic connections.
You can manage this on a policy-map. This isn't on a nat configuration anymore.

The config you posted will be translated into the following commands:

object network Mail_Server
subnet x.x.x.x 255.255.255.224
!
object network dmz.srv.Mail
host x.x.x.x
nat (dmz,outside) after-auto source dynamic dmz.srv.Mail Mail_Server

However i believe your internal mail server is natted to 1 public ip and nat command should be the following instead of the previous one:

object network Mail_Server
host x.x.x.x
!
object network dmz.srv.Mail
host x.x.x.x
nat (dmz,outside) static Mail_Server

In this case the nat is done under the group object dmz.srv.Mail

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question