Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
140
Views
0
Helpful
1
Replies

ASA 5505 V7.2 to ASA 5506-X Nebie having trouble converting ACLs hanging up on name field alias

iwalker01
Level 1
Level 1

‎06-23-2017 10:20 PM - edited ‎03-12-2019 02:37 AM

I have early in the config aliases for IPs using the names command

Those work without complaint.

names

 name 172.16.10.0 mine-LAN

Later I try to use the following access-list command and it doesn't work faling on the start of mine-LAN

access-list LAN_nat0_outbound extended permit ip mine-LAN 255.255.255.0 10.16.10.0 255.255.255.0

So I replace the name with the IP and the CLI accepts the command:

access-list LAN_nat0_outbound extended permit ip 172.16.10.0 255.255.255.0 10.16.10.0 255.255.255.0

What has changed between ASA Version 7.2(4)  and the new  9.6(1) with regard to using names as aliases?

Your help to a newbie is much appreciated. 

Thx

Ian

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-24-2017 02:14 AM

As of ASA 8.x we started using objects and object NAT. So now you declare an object and then its NAT rule. for things we exempt from NAT, we use a "twice NAT " or "identity NAT" rule type.

For example:

object network mine-LAN
 subnet 172.16.10.0 255.255.255.0
 nat (inside,outside) source static mine-LAN mine-LAN destination static any any no-proxy-arp route-lookup

Here's one good short article:

https://networkology.net/2012/05/06/identity-nat-asa-8-38-4/

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card