cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


6804
Views
0
Helpful
5
Replies
Beginner

ASA NAT 8.x to 8.4 conversion - URGENT

I have 8.2 configuration that works:

global (inside) 1 192.168.1.1

nat (outside) 1 access-list Servers outside

static (inside,outside) 10.16.0.0 10.1.0.0 netmask 255.255.0.0

static (inside,outside) 10.17.0.0 10.2.0.0 netmask 255.255.0.0

static (inside,outside) 10.18.0.0 10.11.0.0 netmask 255.255.0.0

static (inside,outside) 10.19.0.0 10.12.0.0 netmask 255.255.0.0

static (outside,inside) 192.168.1.1  39.39.39.15 netmask 255.255.255.255

ACL Servers has only two hosts:

39.39.39.15

39.39.39.16

It is remote monitoring ASA, so I need to nat user networks (10.1.x.y, 10.2.x.y) to something that I can use (10.16.x.y, 10.17.x.y...)

Also, since it my device, I have them configure snmp and syslog server on client's network to use 192.168.1.1, so I have dynamic NAT for two SNMP servers and static NAT for one of them (which is syslog server).

Can someone please create 8.4 version, so I can apply it? I tried few things, packet tracer shows that they are NATed, but I have only Denc packets, because hosts see request coming from my public IP...

Thank you.

Everyone's tags (5)
5 REPLIES 5
Cisco Employee

ASA NAT 8.x to 8.4 conversion - URGENT

Hi,

Can you try the conversion with the help of the following document:

https://supportforums.cisco.com/docs/DOC-9129

Hope this helps.

Regards,

Anisha

P.S.:please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Beginner

ASA NAT 8.x to 8.4 conversion - URGENT

Hi Anisha,

honestly, doesn't help much. I configured lot of 8.3 and 8.4 NAT, so I am very familiar with documents and procedures, here is very specific example, we are using twice NAT, so it could be that order of operations are changed, or something similar.

I need very precise info.

Cisco Employee

ASA NAT 8.x to 8.4 conversion - URGENT

can you give us more clarity on the issue, r you looking for the commands or you already have the commands and they r not working? if so please paste the nat rules you have with the requirement so that we can see wht is going on

as far as what has changed, other than the syntax the main diff is that we check the nat first then acl hence the need to allow real ip in acl for static nat

Engager

ASA NAT 8.x to 8.4 conversion - URGENT

Hi Mile,

If you are looking for corresponding nat commands to the ones that you have pasted, they are as follows:

object network 10.16.0.0_network

subnet 10.16.0.0 255.255.0.0

object network 10.1.0.0_network

subnet 10.1.0.0 255.255.0.0

object network 10.17.0.0_network

subnet 10.17.0.0 255.255.0.0

object network 10.2.0.0_network

subnet 10.2.0.0 255.255.0.0

object network 10.18.0.0_network

subnet 10.18.0.0 255.255.0.0

object network 10.19.0.0_network

subnet 10.19.0.0 255.255.0.0

object network 10.11.0.0_network

subnet 10.11.0.0 255.255.0.0

object network 10.12.0.0_network

subnet 10.12.0.0 255.255.0.0

So the corresponsing nat commands for static would be:

nat (outside,inside) source static any any destination static 10.16.0.0_network 10.1.0.0_network

nat (outside,inside) source static any any destination static 10.17.0.0_network 10.2.0.0_network

nat (outside,inside) source static any any destination static 10.18.0.0_network 10.11.0.0_network

nat (outside,inside) source static any any destination static 10.19.0.0_network 10.12.0.0_network

And for the last static command:

object network private_ip

host 192.168.1.1

object network public_ip

host 39.39.39.15

nat (inside,outside) source static any any destination static private_ip public_ip

The first two nat commands doesn't seem right to me, could you verify whether this is wat you had earlier????

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Highlighted
Beginner

ASA NAT 8.x to 8.4 conversion - URGENT

Hi..I am also in phase of migrating software from 8.2 to 8.4. I am facing  issues while changing below config in 8.4. Could anyone pls helpout.

access-list www_http extended permit tcp host 192.168.183.202 any eq www
access-list www_http extended permit tcp host 192.168.183.202 any eq https
access-list www_http extended permit tcp host 192.168.183.196 any eq www
access-list www_http extended permit tcp host 192.168.183.196 any eq https

nat (inside) 3 access-list www_http

global (outside) 3 61.144.128.140 netmask 255.255.255.255