Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
835
Views
5
Helpful
3
Replies

Need Assistance with Translating Old NAT 8.2 with new NAT statements in 9.6

Go to solution
Abid7897061
Level 1
Level 1

‎07-17-2019 07:02 PM

Hi I need to translate old NAT statements to New statements and wanna verify if my statements are correct and what needs to be done to verify if all good :

Old:

global (outside) 1 interface
nat (outside) 0 access-list MGT-NAT-EXEMPT
nat (inside) 0 access-list WORKER-NAT-EXEMPT
access-group MGT-ACL-IN in interface outside
access-group WORKER-ACL-OUT in interface inside


no nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 1 192.168.31.0 255.255.254.0 tcp 0 0 udp 0

 

provided :

MGT-NAT-EXEMPT & WORKER-NAT-EXEMPT are extended ACLs  that permit Host A & Network A for each other 

 

how does each statement translate to new ASA versions

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Abid7897061

‎08-30-2019 04:43 PM

Do you have a full tunnel for your vpn users? This means they access internet through the vpn tunnel.

If so you need a nat statement like:
Let's assume, your vpn pool subnet is 192.168.10.0/24.
Config will looks like:
Object network vpn
Subnet 192.168.10.0 255.255.255.0
nat (outside, outside) dynamic interface

And you need to enable the following command:
same-security-traffic permit intra-interface

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎07-17-2019 08:05 PM

Hi

You got few tools which can help you:
- https://fwm.cisco.com/auth.do;jsessionid=36C436A92196CFA9BDBEFFD5F48B16AF#appstore:1

- https://www.tunnelsup.com/nat-converter/

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Abid7897061
Level 1
Level 1
In response to Francesco Molino

‎08-30-2019 11:11 AM

Hi ,

 

that tunnels up link is very help ful thanks for that .

 

currently VPN tunnel is up , i am able to reach internal networks however i cant reach internet .

 

i think i am missing something  here , as per ASDM logs some TCP connections are denied so i suspect below line has not been translated.

 

nat (inside) 1 10.129.30.0 255.255.254.0  tcp 0 0 udp 0 , what would this become in new ASA, tunnels up doesnt conccert this one .

 

thanks 

 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Abid7897061

‎08-30-2019 04:43 PM

Do you have a full tunnel for your vpn users? This means they access internet through the vpn tunnel.

If so you need a nat statement like:
Let's assume, your vpn pool subnet is 192.168.10.0/24.
Config will looks like:
Object network vpn
Subnet 192.168.10.0 255.255.255.0
nat (outside, outside) dynamic interface

And you need to enable the following command:
same-security-traffic permit intra-interface

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card