Hi,
Ok, so looking at your configuration it would seem to me the old/current ones are meant for this:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (VPN) 1 10.21.1.0 255.255.255.0 0 0
- Default PAT for Internet traffic for inside and VPN interface hosts
static (inside,DMZ) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0
static (inside,VPN) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0
static (inside,VPN) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
- NAT configuration between the local interfaces networks so that each network is visible to eachother with their original IP address
By the way, does the DMZ really not have any NAT configurations towards Internet?
So if you want to convert those from 6.3 to 8.4 the new configurations would be the following
PAT for VPN Internet traffic
object-group network PAT-VPN-SOURCE
network-object 10.21.1.0 255.255.255.0
nat(VPN,outside) after-auto source dynamic PAT-VPN-SOURCE interface
- Above configuration will create an object-group under which you can specify the source network for which PAT translation will be done.
- If you dont care about the source address, you can ignore the object-group and replace it with keyword/parameter "any" in the "nat" configuration line. (Look at the below configuration)
PAT for INSIDE Internet traffic
nat (inside,outside) after-auto source dynamic any interface
- Above configuration will simply PAT traffic from INSIDE to OUTSIDE with "any" source address.
- Same can be done for the VPN interface if needed
All the rest of the NAT configurations (4 static commands) can be left out as the default behaviour for new ASA software is to pass the traffic unNATed through the ASA IF they dont have a specific NAT rule.
- Jouni
