cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


545
Views
0
Helpful
1
Replies
Highlighted
Beginner

Quick question re: migration of nat exemption from asa pre-8.2 to post-8.2

I am going through http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.pdf and I have a question about nat exemption.  According to the guide above, the migration of nat exemption will look like this:

-----

access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound
-----
object network obj-vLan201
subnet vLan201 255.255.255.0

object network obj-172.19.252.0
subnet 172.19.252.0 255.255.255.0

nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0

-----

My question is this: if acl inside_nat0_outbound has multiple ACEs, does the migrated configuration contain a separate "nat (inside,any)" statement for each ACE in the original pre-8.3 config, like this?

-----

access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.253.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

-----

object network obj-vLan201

subnet vLan201 255.255.255.0

object network obj-172.19.252.0
subnet 172.19.252.0 255.255.255.0

object network obj-172.19.253.0
subnet 172.19.253.0 255.255.255.0

nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0

nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.253.0 obj-172.19.253.0

-----

Our current acl has about twenty entries, which would make for twenty nat statements, if this is right.

Thanks,

-Mathew

1 REPLY 1
Mentor

Quick question re: migration of nat exemption from asa pre-8.2 t

Hi,

Default behaviour for NAT past 8.2 software level is to let traffic flow through the ASA without NAT. Before that "nat-control" setting on the ASA defined if the traffic needed a NAT configuration or not.

If your NAT0 / NAT Exempt configurations contain statements meant for VPN connections then you have to make new ones for those.

Are the entries in your old NAT0 configurations meant for traffic between different networks in your own LAN or are they meant for different VPN connections? Or perhaps both.

But as you said, moving to the new software does mean that even some simple NAT configuration will now contain more configurations than in the old software.

- Jouni

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here