Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
563
Views
20
Helpful
3
Replies

8.2 NAT to 9.x NAT

Go to solution
johnlloyd_13
Level 9
Level 9

‎09-18-2015 05:40 AM - edited ‎03-11-2019 11:37 PM

hi all,

i'm upgrading a 5510 8.2 ASA to 5525-X 9.2 ASA.

can someone confirm my NAT config correct?

 

global (outside) 2 203.199.3.6

 

nat (inside) 2 172.27.169.0 255.255.255.0

 

object network PAT1
 subnet 172.27.169.0 255.255.255.0
 nat (inside,outside) dynamic 203.199.3.6

 

also, is the keyword 'dns' necessary at the end of NAT statements? especially for my static NAT.

i don't know if my downstream customer are using it for web server (FQDN/A record) and if if they need a DNS re-write. this

just want to put just to be sure if they run it or not.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rishabh Seth
Level 7
Level 7

‎09-18-2015 05:57 AM

Hi John,

 

The configuration is correct for dynamic PAT. As far as the dns keyword is concerned, it is not mandatory, but in case you have it in your old config then you can continue to use it your new configuration as well.

Hope it helps!!

Thanks,
R.Seth

View solution in original post

3 Replies 3

Go to solution
Rishabh Seth
Level 7
Level 7

‎09-18-2015 05:57 AM

Hi John,

 

The configuration is correct for dynamic PAT. As far as the dns keyword is concerned, it is not mandatory, but in case you have it in your old config then you can continue to use it your new configuration as well.

Hope it helps!!

Thanks,
R.Seth

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Rishabh Seth

‎09-18-2015 06:11 AM

hi,

thanks! one last thing, i want to do some clean up on the subnets that aren't used anymore.

i know that 172.27.119.0/24 is no longer active but i can still see this subnet on the show nat output (upper half in red vs below in blue).

how can i be really sure that it's no longer being used for NAT?

 

 match ip inside 172.27.119.0 255.255.255.0 outside any
    dynamic translation to pool 1 (203.199.30.134 [Interface PAT])
    translate_hits = 3175737, untranslate_hits = 422846
 

match ip inside 172.27.119.0 255.255.255.0 inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0

Go to solution
Rishabh Seth
Level 7
Level 7
In response to johnlloyd_13

‎09-18-2015 06:26 AM

Hi John,

 

The output you have attached can be  a cumulative value.

If show nat output shows increment in the translate and untranslate count then there has to be users present in your network in the subnet.

Regarding your PAT rule:

If the IP 203.199.3.6 is configured on interface then use the keyword interface instead of IP:

your nat would look like:

 

object network PAT1
 subnet 172.27.169.0 255.255.255.0
 nat (inside,outside) dynamic interface

 

interface = 203.199.3.6

 

Thanks,

R.Seth

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card