Solved: Re: Info NAT translation 8.2 to 8.3

f.mottini · ‎01-17-2011

Hi to all,

i have a question,

i have this nat in 8.2

static (inside,DMZ2) 192.168.202.0 192.168.202.0 netmask 255.255.255.0
static (inside,DMZ2) 161.27.0.0 161.27.0.0 netmask 255.255.0.0
static (inside,DMZ2) 172.16.0.0 172.16.0.0 netmask 255.240.0.0

in 8.3 i must translate this to 8.3 nat or the ACL's that regulate the traffic from inside to DMZ is enought ?

Thanks a lot best regards.

Dan-Ciprian Cicioiu · ‎01-17-2011

Hi ,

From the documentation of 8.3 i understood something else : that NAT is not required anymore .

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60212

The nat-control command is deprecated. To maintain the requirement that all traffic from a higher security interface to a lower security interface be translated, a NAT rule will be inserted at the end of section 2 for each interface to disallow any remaining traffic. The nat-control command was used for NAT configurations defined with earlier versions of the adaptive security appliance. The best practice is to use access rules for access control instead of relying on the absence of a NAT rule to prevent traffic through the adaptive security appliance.

Since now , i have never tested 8.3.

Dan

View solution in original post

Kureli Sankar · ‎01-17-2011

Correct. Thans for verifying. In 8.3 there is no need to provide nat.

-KS

View solution in original post

Jon Marshall · ‎01-17-2011

f.mottini wrote:
Hi to all,
i have a question,
i have this nat in 8.2
static (inside,DMZ2) 192.168.202.0 192.168.202.0 netmask 255.255.255.0 
static (inside,DMZ2) 161.27.0.0 161.27.0.0 netmask 255.255.0.0 
static (inside,DMZ2) 172.16.0.0 172.16.0.0 netmask 255.240.0.0
in 8.3 i must translate this to 8.3 nat or the ACL's that regulate the traffic from inside to DMZ  is enought ?
Thanks  a lot best regards.

You will need to update your static NAT entries. Have a look at this doc which covers changes in 8.3 and gives examples for converting NAT statements -

https://supportforums.cisco.com/docs/DOC-12690

Jon

f.mottini · ‎01-17-2011

If i don't translate this entry what happen to the traffic that flow from a pc behind inside to a server behind dmz interface?

tha traffic flow anyway without nat? The traffic is blocked because thers is not the identity nat?

thanks a lot

PS: i'm translating by hand the 8.2 nat configuration

Nagaraja Thanthry · ‎01-17-2011

Hello,

In 8.3, NAT translation rules is a must between all interfaces. So, if you do not create a NAT rule, the traffic will be blocked.

static (inside,DMZ2) 192.168.202.0 192.168.202.0 netmask 255.255.255.0

object network INSIDE_NET_1

network 192.168.202.0 255.255.255.0

nat (inside,DMZ2) source static INSIDE_NET_1 INSIDE_NET_1

static (inside,DMZ2) 161.27.0.0 161.27.0.0 netmask 255.255.0.0

object network INSIDE_NET_2

network 161.27.0.0 255.255.0.0

nat (inside,DMZ2) source static INSIDE_NET_2 INSIDE_NET_2

static (inside,DMZ2) 172.16.0.0 172.16.0.0 netmask 255.240.0.0

object network INSIDE_NET_3

network 172.16.0.0 255.240.0.0

nat (inside,DMZ2) source static INSIDE_NET_3 INSIDE_NET_3

Hope this helps.

Regards,

NT

Dan-Ciprian Cicioiu · ‎01-17-2011

Hi ,

From the documentation of 8.3 i understood something else : that NAT is not required anymore .

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60212

The nat-control command is deprecated. To maintain the requirement that all traffic from a higher security interface to a lower security interface be translated, a NAT rule will be inserted at the end of section 2 for each interface to disallow any remaining traffic. The nat-control command was used for NAT configurations defined with earlier versions of the adaptive security appliance. The best practice is to use access rules for access control instead of relying on the absence of a NAT rule to prevent traffic through the adaptive security appliance.

Since now , i have never tested 8.3.

Dan

Dan-Ciprian Cicioiu · ‎01-17-2011

I have tested 8.3 on ASA 5520

PC ---- in 100 ----- ASA ----- out 0 ------ PC

2 acl - permit ip any any

both PC having default GW the ASA

ciscoasa# sh run access-g
access-group in in interface in
access-group out in interface out
ciscoasa# sh access-l in
access-list in; 1 elements; name hash: 0xbd4c1a27
access-list in line 1 extended permit ip any any (hitcnt=10) 0xc13c9148
ciscoasa# sh access-l out
access-list out; 1 elements; name hash: 0x5589cfea
access-list out line 1 extended permit ip any any (hitcnt=2) 0xb4296acc
ciscoasa# sh run nat

ciscoasa#

ciscoasa#
ciscoasa# sh run int g0/3
!
interface GigabitEthernet0/3
nameif in
security-level 100
ip address 1.1.1.2 255.255.255.252

ciscoasa#

ciscoasa# sh run int g0/2
!
interface GigabitEthernet0/2
nameif out
security-level 0
ip address 2.2.2.1 255.255.255.0

Ping from out PC to in PC :

ciscoasa# sh conn det
2 in use, 2 most used

ICMP out:2.2.2.2/1 in:1.1.1.1/0,
idle 0s, uptime 1s, timeout 2s, bytes 64
ICMP out:2.2.2.2/1 in:1.1.1.1/0,
idle 0s, uptime 1s, timeout 2s, bytes 64

Successful ! So there is no need for NAT .

Dan

Kureli Sankar · ‎01-17-2011

Correct. Thans for verifying. In 8.3 there is no need to provide nat.

-KS