Solved: nat 0 on 5506 ASA with 9.1

northtexasnetworks · ‎05-24-2017

Hello,

I have the following config on my old ASA5510 running 7.2. This is part of a site-to-site VPN config.

nat (inside) 0 access-list no_nat

access-list no_nat line 1 extended permit ip 192.168.22.0 255.255.255.0 host 10.125.125.15

access-list no_nat line 1 extended permit ip 192.168.22.0 255.255.255.0 host 10.125.125.16

access-list no_nat line 1 extended permit ip 192.168.22.0 255.255.255.0 host 10.125.125.17

access-list no_nat line 1 extended permit ip 192.168.22.0 255.255.255.0 host 10.125.125.18

We are moving to an ASA 5506 running 9.1 and the above does not work, I get an error message saying the command for the nat 0 statement has been depreciated. Please help me with the correct config for 9.1.

Thanks,

Mitchell

Mohammed al Baqari · ‎05-24-2017

Hi,

The nat structure completely changed after 8.3. You can replace this with twice-nat in ASA.

e.g.

nat (in,out) source static 192.168.22.0_object 192.168.22.0_object destination static 10.125.125.0_object 10.125.125.0_object

You need to create the object-groups or objects before the nat statement and you need to locate in/out interfaces based on the routing

View solution in original post

Mohammed al Baqari · ‎05-24-2017

Hi,

The nat structure completely changed after 8.3. You can replace this with twice-nat in ASA.

e.g.

nat (in,out) source static 192.168.22.0_object 192.168.22.0_object destination static 10.125.125.0_object 10.125.125.0_object

You need to create the object-groups or objects before the nat statement and you need to locate in/out interfaces based on the routing