Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8573
Views
0
Helpful
5
Replies

ASA 5525x sample config ?

o.fulbert
Level 1
Level 1

‎07-27-2012 04:29 AM - edited ‎03-11-2019 04:35 PM

                   Hello,

               I use ton setup some ASA55xx but with the new version, i don't arrive to see some sample config on the CCO for help me to configure.

               8.2 or 8.3 config can't be upgraded to 8.6 ???

               I begin to read the CLI 8.6 config but ...... not very clear for me ....

               simple config with Dmz,web server and some static !!!!

               ASA 8.0 be so simple .... than 8.3 or up ....

               I don t see lot of people use 55x. Normal ?

Labels:
0 Helpful
5 Replies 5

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎07-28-2012 08:25 PM

Hi Bro

When you do an incremental upgrade from 8.2 --> 8.3 --> 8.4 --> 8.6, the configuration in the ASA will auto-convert for you. If it doesn't you could paste your 8.2 config, and we can assist you to convert it to 8.6 :-)

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful

nkarthikeyan
Level 7
Level 7

‎07-28-2012 10:54 PM

Hi Fulbert,

Your config changes from 8.2 to 8.3 will have some issues in getting that converted especially with the NAT commands.

8.3 to 8.6 will not have any issues in the conversion. Most of the command set will be same

except few like NAT commands. The below sample of NAT will be helpful for you in distinguising between older OS and the newer OS.

Please do rate if the given information helps.

Static NAT/PAT

Pre-8.3 NAT

8.3 NAT

Regular Static NAT

static (inside,outside)   192.168.100.100 10.1.1.6 netmask  255.255.255.255

object network   obj-10.1.1.6
    host 10.1.1.6
    nat (inside,outside) static 192.168.100.100   

Regular Static PAT

static (inside,outside) tcp   192.168.100.100 80 10.1.1.16 8080 netmask  255.255.255.255

object network   obj-10.1.1.16
    host 10.1.1.16
    nat (inside,outside) static 192.168.100.100 service tcp 8080 www

Static Policy NAT

access-list NET1 permit ip host   10.1.2.27 10.76.5.0 255.255.255.224

static (inside,outside)   192.168.100.100 access-list NET1

object network obj-10.1.2.27

   host 10.1.2.27
object network obj-192.168.100.100
    host 192.168.100.100
object network obj-10.76.5.0
    subnet 10.76.5.0 255.255.255.224
nat (inside,outside) source static   obj-10.1.2.27 obj-192.168.100.100
                         destination static obj-10.76.5.0 obj-10.76.5.0

Pre-8.3 NAT

8.3 NAT

Regular Dynamic PAT

nat (inside) 1   192.168.1.0 255.255.255.0
nat (dmz) 1 10.1.1.0 255.255.255.0
global (outside) 1
192.168.100.100

object network obj-192.168.1.0
    subnet 192.168.1.0 255.255.255.0
    nat (inside,outside) dynamic 192.168.100.100
object network obj-10.1.1.0
    subnet 10.1.1.0 255.255.255.0
    nat (dmz,outside) dynamic 192.168.100.100

Regular Dynamic PAT

nat (inside) 1   10.1.2.0 255.255.255.0
global (outside) 1 192.168.100.100
global (dmz) 1 192.168.1.1




object network   obj-10.1.2.0
    subnet 10.1.2.0 255.255.255.0
    nat (inside,outside) dynamic 192.168.100.100
object network obj-10.1.2.0-01
    subnet 10.1.2.0 255.255.255.0
    nat (inside,dmz) dynamic 192.168.1.1

Regular Dynamic PAT-3

nat (inside) 1 0 0
global (outside) 1 interface

object network   obj_any
    subnet 0.0.0.0 0.0.0.0
    nat (inside,outside) dynamic interface

Dynamic Policy NAT

object-group   network og-net-src
    network-object 192.168.1.0 255.255.255.0
    network-object 192.168.2.0 255.255.255.0
object-group network og-net-dst
    network-object 192.168.200.0 255.255.255.0
object-group service og-ser-src
    service-object tcp gt 2000
    service-object tcp eq 1500
access-list NET6 extended permit   object-group og-ser-src
                     object-group og-net-src object-group og-net-dst
nat (inside) 10 access-list NET6
global (outside) 10 192.168.100.100

object network   obj-192.168.100.100
    host 192.168.100.100
object service   obj-tcp-range-2001-65535
    service tcp destination range 2001 65535
object service obj-tcp-eq-1500
    service tcp destination eq 1500
nat (inside,outside) source dynamic   og-net-src
                obj-192.168.100.100 destination
                static og-net-dst og-net-dst
                service obj-tcp-range-2001-65535
                obj-tcp-range-2001-65535
nat (inside,outside) source dynamic   og-net-src
                obj-192.168.100.100 destination
                static og-net-dst og-net-dst
                service obj-tcp-eq-1500 obj-tcp-eq-1500

Policy Dynamic NAT (with multiple   ACEs)

access-list ACL_NAT   permit ip 172.29.0.0 255.255.0.0
                                  192.168.1.0 255.255.255.0
access-list ACL_NAT permit ip   172.29.0.0 255.255.0.0
                                  192.168.2.0 255.255.255.0
access-list ACL_NAT permit ip   172.29.0.0 255.255.0.0
                                  192.168.3.0 255.255.255.0
access-list ACL_NAT permit ip   172.29.0.0 255.255.0.0
                                  192.168.4.0 255.255.255.0
nat (inside) 1 access-list ACL_NAT
global (outside) 1 192.168.100.100

object network   obj-172.29.0.0
    subnet 172.29.0.0 255.255.0.0
object network obj-192.168.100.100
    host 192.168.100.100
object network obj-192.168.1.0
    subnet 192.168.1.0 255.255.255.0

object network   obj-192.168.2.0
    subnet 192.168.2.0 255.255.255.0

object network   obj-192.168.3.0
    subnet 192.168.3.0 255.255.255.0

object network   obj-192.168.4.0
    subnet 192.168.4.0 255.255.255.0

nat (inside,outside) source dynamic obj-172.29.0.0   obj-192.168.100.100
                destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
                destination static obj-192.168.2.0 obj-192.168.2.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
                destination static obj-192.168.3.0 obj-192.168.3.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
                destination static obj-192.168.4.0 obj-192.168.4.0

Outside NAT

global (inside) 1   10.1.2.30-1-10.1.2.40
nat (dmz) 1 10.1.1.0 255.255.255.0   outside
static (inside,dmz) 10.1.1.5 10.1.2.27   netmask 255.255.255.255

object network obj-10.1.2.27
    host 10.1.2.27
    nat (inside,dmz) static 10.1.1.5
object network obj-10.1.1.0
    subnet 10.1.1.0 255.255.255.0
    nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40
object network obj-10.1.2.30-10.1.2.40
    range 10.1.2.30 10.1.2.40

NAT & Interface PAT together

nat (inside) 1   10.1.2.0 255.255.255.0
global (outside) 1 interface
global (outside) 1   192.168.100.100-192.168.100.200

object network   obj-192.168.100.100_192.168.100.200
    range 192.168.100.100 192.168.100.200
object network obj-10.1.2.0
    subnet 10.1.2.0 255.255.255.0
    nat (inside,outside) dynamic
               obj-192.168.100.100_192.168.100.200 interface

NAT & Interface PAT with   additional PAT together

nat (inside) 1   10.0.0.0 255.0.0.0

  global (outside) 1   192.168.100.1-192.168.100.200

  global (outside) 1   interface

  global (outside) 1   192.168.100.210

object network   obj-192.168.100.100_192.168.100.200
    range 192.168.100.100 192.168.100.200
object network obj-10.0.0.0
    subnet 10.0.0.0 255.0.0.0
object network second-pat
    host 192.168.100.210
object-group network dynamic-nat-pat
    network-object object obj-192.168.100.100_192.168.100.200
    network-object object second-pat

nat (inside,outside) dynamic dynamic-nat-pat interface

Static NAT for a Range of Ports

Not Possible - Need to write   multiple Statements or perform a Static one-to-one NAT

             (in)    (out)

10.1.1.1-------ASA-----

          --xlate-------> 10.2.2.2

Original Ports: 10000 - 10010

Translated ports: 20000 - 20010


object service ports

service tcp source   range 10000 10010


object service ports-xlate

service tcp source   range 20000 20010


object network server

host 10.1.1.1

object network server-xlate

host 10.2.2.2



nat (inside,outside) source static server server-xlate service ports   ports-xlate

76551 Views

By

Karthik

0 Helpful

o.fulbert
Level 1
Level 1
In response to nkarthikeyan

‎11-22-2012 12:53 PM

And what about this old command that permit inside to dmz without translation ?

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to o.fulbert

‎11-22-2012 04:47 PM

object network Inside_subnet

network 192.168.0.0 255.255.255.0

nat (inside,dmz) source static Inside_subnet Inside_subnet

Regards,

Remember to rate all of the helpful posts and mark the question as answered

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

infra.admin1
Level 1
Level 1
In response to nkarthikeyan

‎04-16-2015 03:47 AM

Hi thanks

i have problem regarding nat  below is the path of the discussion id. please review this and suggest the solution,

 

https://supportforums.cisco.com/discussion/12479686/nat-91

 

Thanks

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card