Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
967
Views
0
Helpful
3
Replies

Converting pix nat to asa

grey580
Level 1
Level 1

‎01-30-2019 12:33 PM - edited ‎02-21-2020 08:43 AM

I have an old cisco pix 515 v8.0(4) that I want to swap out with an asa 5510 v9.1(5) device. But I think I'm having problems getting either the ACL and NAT to work. And I'm trying to understand this conversion better. Because I'm doing something wrong.

 

For example. 

 

I have an IP that will go to a web server behind the firewall. 

Outside IP Example: 1.2.3.4 

Ports: 80 & 443

 

Inside server IP example: 4.3.2.1

Name: Server03

 

On the pix the config looks like:

name 4.3.2.1 Server03
access-list Outside_access_in remark Server03 WebsiteHTTP 
access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq www 
access-list Outside_access_in remark Server03 3rd WebsiteHTTPS 
access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq https

 

static (inside,Outside) tcp 1.2.3.4  www Server03 www netmask 255.255.255.255 
static (inside,Outside) tcp 1.2.3.4  https Server03 https netmask 255.255.255.255

 What should this look like for the ASA 5510 V9.1?

0 Helpful
3 Replies 3

Sheraz.Salim
VIP
VIP

‎01-30-2019 03:43 PM

if this is a spare public ip you have than
!
object-group service TCP_PORT
 service-object tcp source eq 80
 service-object tcp source eq 443
!
object network INSIDE-SERVER03
 host 4.3.2.1
 nat (inside,outside) source static 1.2.3.4
!
access-list OUT-IN exten permit object-group TCP_PORT any INSIDE-SERVER03
-------------------------------------------------------------------
AND if you are using the ASA outside interface to map the inside server

object network INSIDE-SERVER03
 host 4.3.2.1
!
nat (inside,outside) source static INSIDE-SERVER03 interface
!
access-list OUT-IN exten permit object-group TCP_PORT any INSIDE-SERVER03

please do not forget to rate.
0 Helpful

grey580
Level 1
Level 1
In response to Sheraz.Salim

‎01-31-2019 07:56 AM

Yes we have several IP addresses that we use.

 

When I run this 

 

!
object-group service TCP_PORT
 service-object tcp source eq 80
 service-object tcp source eq 443
!
object network INSIDE-SERVER03
 host 4.3.2.1
 nat (inside,outside) source static 1.2.3.4
!
access-list OUT-IN exten permit object-group TCP_PORT any INSIDE-SERVER03

 

I get. 

 

Result of the command: "object network INSIDE-SERVER03"

The command has been sent to the device


Result of the command: "host 4.3.2.1"

The command has been sent to the device


Result of the command: "nat (inside,outside) source static 1.2.3.4"

nat (inside,outside) source static 1.2.3.4
ERROR: % Incomplete command

Result of the command: "access-list OUT-IN exten permit object-group TCP_PORT any INSIDE-SERVER03"

access-list OUT-IN exten permit object-group TCP_PORT any INSIDE-SERVER03
 ^
ERROR: % Invalid input detected at '^' marker.
0 Helpful

Sheraz.Salim
VIP
VIP
In response to grey580

‎02-01-2019 11:05 AM - edited ‎02-01-2019 11:08 AM

try this and sorry for the late reply

 

!
object-group protocol TCP
 protocol-object tcp
!
object network INSIDE-SERVER03
 host 4.3.2.1
 nat (inside,outside) static 1.2.3.4
!
access-list OUT-IN exten permit object-group TCP any INSIDE-SERVER03 eq 80
access-list OUT-IN exten permit object-group TCP any INSIDE-SERVER03 eq 443
access-group OUT-IN in interface outside

 

please do not forget to rate.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card