Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
836
Views
5
Helpful
3
Replies

Need Assistance with Translating Old NAT 8.2 with new NAT statements in 9.6

Go to solution
Abid7897061
Level 1
Level 1

‎07-17-2019 07:02 PM

Hi I need to translate old NAT statements to New statements and wanna verify if my statements are correct and what needs to be done to verify if all good :

Old:

global (outside) 1 interface
nat (outside) 0 access-list MGT-NAT-EXEMPT
nat (inside) 0 access-list WORKER-NAT-EXEMPT
access-group MGT-ACL-IN in interface outside
access-group WORKER-ACL-OUT in interface inside


no nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 1 192.168.31.0 255.255.254.0 tcp 0 0 udp 0

 

provided :

MGT-NAT-EXEMPT & WORKER-NAT-EXEMPT are extended ACLs  that permit Host A & Network A for each other 

 

how does each statement translate to new ASA versions

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Abid7897061

‎08-30-2019 04:43 PM

Do you have a full tunnel for your vpn users? This means they access internet through the vpn tunnel.

If so you need a nat statement like:
Let's assume, your vpn pool subnet is 192.168.10.0/24.
Config will looks like:
Object network vpn
Subnet 192.168.10.0 255.255.255.0
nat (outside, outside) dynamic interface

And you need to enable the following command:
same-security-traffic permit intra-interface

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎07-17-2019 08:05 PM

Hi

You got few tools which can help you:
- https://fwm.cisco.com/auth.do;jsessionid=36C436A92196CFA9BDBEFFD5F48B16AF#appstore:1

- https://www.tunnelsup.com/nat-converter/

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Abid7897061
Level 1
Level 1
In response to Francesco Molino

‎08-30-2019 11:11 AM

Hi ,

 

that tunnels up link is very help ful thanks for that .

 

currently VPN tunnel is up , i am able to reach internal networks however i cant reach internet .

 

i think i am missing something  here , as per ASDM logs some TCP connections are denied so i suspect below line has not been translated.

 

nat (inside) 1 10.129.30.0 255.255.254.0  tcp 0 0 udp 0 , what would this become in new ASA, tunnels up doesnt conccert this one .

 

thanks 

 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Abid7897061

‎08-30-2019 04:43 PM

Do you have a full tunnel for your vpn users? This means they access internet through the vpn tunnel.

If so you need a nat statement like:
Let's assume, your vpn pool subnet is 192.168.10.0/24.
Config will looks like:
Object network vpn
Subnet 192.168.10.0 255.255.255.0
nat (outside, outside) dynamic interface

And you need to enable the following command:
same-security-traffic permit intra-interface

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card