Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
5
Helpful
4
Replies

5512 ASA Old NAT to new NAT Help please

Go to solution
John Clausen
Level 1
Level 1

‎10-01-2014 06:57 AM - edited ‎03-11-2019 09:50 PM

Hello Everyone...

I was wondering if anyone could help translate these old NAT commands to the new NAT commands for a 5512-x ASA.

I guess I am having trouble wrapping my head around the whole thing and I don't program enough routers to really retain anything.

 

Here goes the old NAT:

nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) udp interface 5008 192.9.200.5 5008 netmask 255.255.255.255 
static (inside,outside) udp interface 5020 192.9.200.6 5020 netmask 255.255.255.255 

Thanks in advance for the help,

John

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to John Clausen

‎10-01-2014 03:51 PM

Hi,

 

You can do that with

 

object network SUB-1
 subnet 192.9.200.0 255.255.255.0

 

object network SUB-2
 subnet 192.168.201.0 255.255.255.192

 

nat (inside,outside) source static SUB-1 SUB-1 destination static SUB-2 SUB-2

 

Hope this helps :)

 

Please do remember to mark a reply as the correct answer if it answered your question.

 

- Jouni

View solution in original post

4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-01-2014 09:19 AM

Hi,

 

We will need the output of this command

 

show access-list inside_nat0_outbound

 

Without we can not tell you the corresponding NAT0 configuration in new format.

 

The other NAT configurations can be done this way

 

Static PAT (Port Forward)

 

object network STATIC-PAT-UDP5008
 host 192.9.200.5
 nat (inside,outside) static interface service udp 5008 5008

 

object network STATIC-PAT-UDP5020
 host 192.9.200.6
 nat (inside,outside) static interface service udp 5020 5020

 

Dynamic PAT

 

nat (inside,outside) after-auto source dynamic any interface

 

Here is a link to a document I wrote in 2013 about the new NAT configuration format:

 

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

 

Here is also a great document when you want to compare the old and the new configuration format:

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

 

Hope this helps :)

 

- Jouni

0 Helpful

Go to solution
John Clausen
Level 1
Level 1
In response to Jouni Forss

‎10-01-2014 11:09 AM

Here it the output to show access-list inside_nat0_outbound:

access-list inside_nat0_outbound; 1 elements; name hash: 0x467c8ce4
access-list inside_nat0_outbound line 1 extended permit ip 192.9.200.0 255.255.255.0 192.168.201.0 255.255.255.192 (hitcnt=0) 0xe928f53a

Thanks for your help!!

John

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to John Clausen

‎10-01-2014 03:51 PM

Hi,

 

You can do that with

 

object network SUB-1
 subnet 192.9.200.0 255.255.255.0

 

object network SUB-2
 subnet 192.168.201.0 255.255.255.192

 

nat (inside,outside) source static SUB-1 SUB-1 destination static SUB-2 SUB-2

 

Hope this helps :)

 

Please do remember to mark a reply as the correct answer if it answered your question.

 

- Jouni

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎10-01-2014 05:13 PM

I have used this tool in the past:

http://www.tunnelsup.com/nat-converter/

There are some other cool tools that you can find useful. As mentioned by Jouni, you will have to update your ACLs as well.

 

Thank you for rating helpful posts!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card