06-24-2013 06:39 PM - edited 03-11-2019 07:02 PM
I am tasked with replacing a old PIX with a ASA 5505. All was fine until I got to the GLOBAL and NAT commands, when the ASA stated that these are deprecated. After reading documentation online, I unfortunately cannot wrap my head around this. The commands I need to covert are:
global (outside) 1 192.168.5.5
global (outside) 2 interface
nat (inside) 1 172.16.32.0 255.255.255.0 0 0
nat (inside) 1 172.16.35.0 255.255.255.0 0 0
nat (inside) 0 0.0.0.0. 0.0.0.0 0 0
How can I convert these for the ASA?
Thanks
06-24-2013 11:31 PM
Hi,
Are you sure that is the whole configuration? Its just that I see an "global" configuration with ID 2 with no matching "nat" statement? Though naturally it can be some unused old configuration left over.
global (outside) 1 192.168.5.5
nat (inside) 1 172.16.32.0 255.255.255.0 0 0
nat (inside) 1 172.16.35.0 255.255.255.0 0 0
You can convert the above configuration using this format
object-group network DEFAULT-PAT-SOURCE
network-object 172.16.32.0 255.255.255.0
network-object 172.16.35.0 255.255.255.0
object network PAT-IP
host 192.168.5.5
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE PAT-IP
Do you have some other device holding the public IP address in front of the ASA since the above "global" has an private IP address? And considering that the ID 2 rule didnt have any source address specifications.
I've also got to admit that I have never used the below configuration myself
nat (inside) 0 0.0.0.0. 0.0.0.0 0 0
Which to my understanding is regular Identity NAT. If I understood Ciscos logic with that NAT configuration, it should not override the Dynamic PAT configurations originally on the PIX.
Hope this helps
Please do remember to mark the reply as the correct answer if it answered your question.
Naturally ask more if needed.
- Jouni
06-25-2013 08:29 AM
Thanks for the reply. Here is the entire config. What else do I need to change?
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password k4HlcGX2lC1ypFOm encrypted
passwd y5Nu/Nt1/5dK8Iuf encrypted
hostname fw
clock timezone EST -5
clock summer-time ESD recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list permit-in permit icmp any any echo
access-list permit-in permit icmp any any echo-reply
access-list permit-in permit ip host 192.168.8.10 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.11 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.12 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.13 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.24 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.7 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.22 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.34 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.25 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.45 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.46 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.47 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.48 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.49 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.50 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.51 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.52 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.154 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.17 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.41 192.168.5.0 255.255.255.0
access-list permit-in permit tcp 192.168.7.0 255.255.255.0 host 192.168.5.36 eq https
access-list permit-in permit ip host 192.168.8.150 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.148 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.149 192.168.5.0 255.255.255.0
pager lines 24
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.15.5 255.255.255.252
ip address inside 192.168.5.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.5.251
global (outside) 2 interface
nat (inside) 1 172.16.32.0 255.255.255.0 0 0
nat (inside) 1 172.16.35.0 255.255.255.0 0 0
nat (inside) 1 172.16.36.0 255.255.255.0 0 0
nat (inside) 1 172.16.37.0 255.255.255.0 0 0
nat (inside) 1 172.16.38.0 255.255.255.0 0 0
nat (inside) 1 172.16.39.0 255.255.255.0 0 0
nat (inside) 1 172.16.40.0 255.255.255.0 0 0
nat (inside) 1 172.16.45.0 255.255.255.0 0 0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.5.90 192.168.5.90 netmask 255.255.255.255 0 0
access-group permit-in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.15.5 1
route inside 172.16.32.0 255.255.255.0 192.168.5.25 1
route inside 172.16.35.0 255.255.255.0 192.168.5.25 1
route inside 172.16.36.0 255.255.255.0 192.168.5.25 1
route inside 172.16.37.0 255.255.255.0 192.168.5.25 1
route inside 172.16.38.0 255.255.255.0 192.168.5.25 1
route inside 172.16.39.0 255.255.255.0 192.168.5.25 1
route inside 172.16.40.0 255.255.255.0 192.168.5.25 1
route inside 172.16.45.0 255.255.255.0 192.168.5.25 1
route inside 192.168.205.0 255.255.255.0 192.168.5.25 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:d825bff50561364fb1ade3f2547c77ea
: end
Thanks for your help on this!
07-01-2013 05:56 PM
What would I have to change in the config above to make this work on a ASA that is version 9 IOS? Thanks
07-02-2013 12:23 AM
Hi,
So this is your NAT configuration
global (outside) 1 192.168.5.251
global (outside) 2 interface
nat (inside) 1 172.16.32.0 255.255.255.0 0 0
nat (inside) 1 172.16.35.0 255.255.255.0 0 0
nat (inside) 1 172.16.36.0 255.255.255.0 0 0
nat (inside) 1 172.16.37.0 255.255.255.0 0 0
nat (inside) 1 172.16.38.0 255.255.255.0 0 0
nat (inside) 1 172.16.39.0 255.255.255.0 0 0
nat (inside) 1 172.16.40.0 255.255.255.0 0 0
nat (inside) 1 172.16.45.0 255.255.255.0 0 0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.5.90 192.168.5.90 netmask 255.255.255.255 0 0
To me it seems that the following configurations wont have to be converted to anything as they dont do any kind of translation to the original address or they are missing some related configurations.
static (inside,outside) 192.168.5.90 192.168.5.90 netmask 255.255.255.255 0 0
global (outside) 2 interface
You should be able to do the same in the new software with the below configuration
object-group network DEFAULT-PAT-SOURCE
network-object 172.16.32.0 255.255.255.0
network-object 172.16.35.0 255.255.255.0
network-object 172.16.36.0 255.255.255.0
network-object 172.16.37.0 255.255.255.0
network-object 172.16.38.0 255.255.255.0
network-object 172.16.39.0 255.255.255.0
network-object 172.16.40.0 255.255.255.0
network-object 172.16.45.0 255.255.255.0
object network PAT-IP
host 192.168.5.251
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE PAT-IP
Hope this helps
Please do remember to mark the reply as the correct answer if it answered your question.
- Jouni
07-10-2018 03:05 AM - edited 07-10-2018 03:07 AM
I use the same thread as I encounter quite the same issue. I have to convert the NAT/Global Config from a PIX to an ASA, and I'm not sure about the next config.
global (outside-sftp) 1 172.31.129.26
global (inside) 1 192.168.1.14
nat (DMZ-BRD) 1 access-list NAT-monitorizare tcp 500 1000
nat (DMZ-BRD) 1 10.55.0.0 255.255.0.0 tcp 500 1000
How the config on ASA should be?
Any help will be much appreciatted.
Thank you in advance
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide