Hi Jouni

Thanks for the advice ,

I have lots of ACL configured with names , shall I remove the names from old asa , then take the ACLs to the new ASA , then configure the object groups , I think this will make the ACLs config easier on the new ASA,

For the NAT , most of it are static , so I will convert it manually , but I'm worried about the NAT 0 used for VPN , the interesting traffic ACL includes many lines and as per the new code I have to make separate object group for each line , is there any better way of dealing with NAT 0 conversion ?

Appreciating your advice .

Sent from Cisco Technical Support iPad App

Hi,

You should be able to disable the use of "name" configurations on the ASA (while leaving the actual name/IP pairing configurations on the ASA) After that the ACL should show up only with object-groups and actual IP addresses/network addresses.

If you want to keep using the "name" configurations in the new software notice that atleast in the "outside" ACL your destination IP addresses (your local servers) will be with their private IP address. So there is bound to be changes to the "name" configurations if you have previously used the "name" configuration for a public IP address.

A question regarding the NAT0 configurations

• Do you only have NAT0 configurations for VPN Client or L2L VPN Connections? Or is there some NAT0 configurations between your local ASA interfaces? Or is it just between "inside" -> "outside"?

I guess if you want you could copy/paste your NAT0 configurations (nat commands and ACLs) here and could take a look at them for you and help if I can.

- Jouni

Hi Jouni,

I have only the follwoing Nat configuration , in addition to many  static NAT

global (outside) 1 interface

nat (inside) 1 172.16.1.80 255.255.255.255

nat (inside) 0 access-list no_nat_vpntraffic

nat (DMZ) 0 Ironmail 255.255.255.255

access-list no_nat_vpntraffic extended permit ip host Citrix object-group Citrix_India

.

.

.

(no_nat_vpntraffic  ACL has around 25 lines)

any suggestion will help  ..

Thanks ..

Hi,

I dont know what the setup is when you have only one "global" rule and only one host address defined in the "nat" statement

NAT/PAT Configuration

object network PAT-SOURCE

host 172.16.1.80

nat (inside,outside) after-auto source dynamic PAT-SOURCE interface

DMZ NAT Configuration

• It seems that you are not NATing the host "Ironmail"
• Therefore if there truly is no NAT rule on your firewall at the moment that would match the source IP address of the "Ironmail" host then you simply dont need ANY nat configuration. It will pass the ASA without any translation.

NAT0 / NAT Exempt Configuration

• As you dont provide a full ACL with IPs/Networks I cant give you a specific answer.
• At this point I will only give you a simple example of how a single NAT0 configuration could look like.
• If you can combine the the existing NAT0 ACL to fewer NAT statements I guess depends on the whole setup currently on the ASA
• Object names below could be simpler/shorter. They are there just to illustrate the purpose of the "object" in question.

object network -SINGLE-SOURCE-FOR-NAT0

subnet

OR

host

object network SINGLE-DESTINATION-FOR-NAT0

subnet

OR

host

nat (source-interface,destination-interface) source static SINGLE-SOURCE-FOR-NAT0 SINGLE-SOURCE-FOR-NAT0 destination static SINGLE-DESTINATION-FOR-NAT0 SINGLE-DESTINATION-FOR-NAT0

Basic 1:1 Static NAT Configuration

object network STATIC

host

nat (source-interface,destination-interface) static dns

- Jouni