Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1279
Views
8
Helpful
7
Replies

Old NAT to Version 8.4(2), Yelp!!!

smehrnia
Level 7
Level 7

‎07-10-2013 04:04 PM - edited ‎03-11-2019 07:10 PM

Hi guys,

I have to change an old NAT config into the 8.4(2) version. i read Cisco migration Docs n everything but still im kind of confused. it'd be nice if someone can help me with this example:

OLD Config:

nat-control

!

nat (vlan12) 0 access-list No_Nat

!

access-list No_Nat extended permit ip any any

access-list allowany extended permit ip any any

!

!

access-group allowany in interface outside

Thanx a milion...

Soroush.       

Hope it Helps!

Soroush.
Labels:
0 Helpful
7 Replies 7

Jouni Forss
VIP Alumni
VIP Alumni

‎07-10-2013 04:14 PM

Hi,

To be honest I have never configured NAT in such a way even on the older software. I have always defined atleast the source address/network and usually the destination too.

I would personally probably configure the networks behind interface "vlan12" under and "object-group network" and then use that in a NAT configurations

For example

object-group network VLAN12-NETWORKS

network-object 10.10.12.0 255.255.255.0

network-object 10.10.112.0 255.255.255.0

network-object 10.10.212.0 255.255.255.0

nat (vlan12,any) source static VLAN12-NETWORKS VLAN12-NETWORKS

One option I thought was also

nat (vlan12,any) source static any any

But I tend to avoid using "any" in NAT configurations.

I am not sure in what kind of network this original NAT configurations is in use. Are there perpaps only public IP addresses used behind this interface? Or is this perhaps some internal firewall that is not meant to perform private to public NAT for the networks?

- Jouni

0 Helpful

smehrnia
Level 7
Level 7
In response to Jouni Forss

‎07-10-2013 04:39 PM

thank you for ur reply, i got the concept of modular configuration and object network but im not sure how to use it for this any any situation... 

is this nat (vlan12,any) source static any any   really an option? that could help!

there are public addresses behind the interfaces, so it actually is not doing NAT. i've been asked to migrate the exact same config to 8.4 and the more i read on Cisco.com the more i get confused.

how about the nat-control command, should i do something about it or just forget it since its deprecated?

thanks again,

Soroush.

Hope it Helps!

Soroush.
0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to smehrnia

‎07-10-2013 04:50 PM

Hi,

There is no more "nat-control"

On a very basic firewall setup you would currently only configure Dynamic PAT/NAT towards the public network. No other NAT would be needed for example between your local interface if you didnt specifically want to NAT the addresses.

The idea by using the "object-group network" to group all the networks behind "vlan12" was simply to try to keep the NAT operation the same wihtout using the "any" parameter.

I did write a NAT 8.3+ document here on the CSC. Though its still work in progress

https://supportforums.cisco.com/docs/DOC-31116

- Jouni

0 Helpful

smehrnia
Level 7
Level 7
In response to Jouni Forss

‎07-10-2013 05:01 PM - edited ‎10-25-2017 07:49 AM

So, what you basically mean is that while in the older version it needed the above configuration to allow Any traffic to flow freely (without NAT) between the interfaces, in version 8.3+ its not necessary to add anything, just leave it as is and it would work just fine! did I get it right?

 

Thanks for the info again!


Soroush.

Hope it Helps!

Soroush.
0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to smehrnia

‎07-10-2013 05:14 PM

Hi,

In general if you had a setup where the firewall was ONLY doing access control and NAT was not required at all then you could leave the ASA in the new software wihtout any NAT configurations.

But usually the situation is that there is some NAT configurations that need to be applied as firewalls are typically at the edge of the internal and external network.

I tend to first go through the entire NAT configuration and operation of the firewall that is about to be migrated. Then I build the new NAT rules on the basis of that.

Usually I first convert the Dynamic PAT/NAT and Static NAT/PAT rules and leave the special Policy NAT or NAT0 configurations last.

I am very hesitant to say that I am 100% sure the above configurations would handle your situation BUT it looks to me that it should do the same. As I said, I would rather be as specific as I can when building the NAT rules and avoid using "any" in the NAT configurations just to avoid any possible suprises with the NAT operation.

- Jouni

smehrnia
Level 7
Level 7
In response to Jouni Forss

‎07-10-2013 05:20 PM

Hi,

since there is nothing NAT specific in the old ios configuration. i guess its safe to go by the any any config.

its just the nat-control and a bunch of nat (vlanX) 0 access-list ... config. thats all

thanks for ur elaboration Jouni.

Soroush.

Hope it Helps!

Soroush.
0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to smehrnia

‎07-10-2013 05:26 PM

So it seems that the current firewall configuration has "nat-control" which basically means that there needs to be some NAT configuration for traffic passing the firewall.

Since all the NAT configurations are NAT0, it would seem that you might be able to leave out all NAT configurations from the new software version.

Please do remember to mark a reply as the correct answer if it answered your question and/or rate helpfull answers.

Feel free to ask more if needed

- Jouni

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card