08-12-2018 01:37 AM - edited 02-21-2020 08:05 AM
Hi All,
I am working on one of the ASA 8.0(3) to 8.4(5) upgrade and have a following question on exempt NAT conversion. I did upgrade and I am getting following result, I am not sure about it.
OR is I should remove any any from ACl then do the upgrade?
OR is there any manual fix for it as there is no subnet requirement in ACL ( just any any ) ?
OR this will work as pre-upgrade function ?
########################## 8.0 ################################
!
name 10.111.2.0 network-TEST-1 description TEST-1
!
interface GigabitEthernet0/0.55
description Interconnect to VPN Network (VRF)
vlan 55
nameif TEST-1
security-level 100
ip address 10.111.2.30 255.255.255.248
ospf cost 10
!
network-object network-TEST-1 255.255.255.0
!
access-list TEST-1_nat0_outbound extended permit ip any any
!
nat (TEST-1) 0 access-list TEST-1_nat0_outbound
!
!
access-list TEST-1_ACCESS_in remark Allow access to Splunk server on PCN
access-list TEST-1_ACCESS_in extended permit tcp any host host-pcn-splunk eq xxxx
access-list TEST-1_ACCESS_in extended permit ip any any
!
access-group TEST-1_ACCESS_in in interface TEST-1
!
####################### 8.4 #############################################
interface GigabitEthernet0/0.55
description Interconnect to VPN Network (VRF)
vlan 55
nameif TEST-1
security-level 100
ip address 10.111.2.30 255.255.255.248
ospf cost 10
!
access-list TEST-1_nat0_outbound extended permit ip any any
!
nat (TEST-1,Internal) source static any any no-proxy-arp route-lookup
nat (TEST-1,MEL-PI-SY-SERVER-LAN) source static any any no-proxy-arp route-lookup
nat (TEST-1,PI-SY-SERVER-VRF) source static any any no-proxy-arp route-lookup
nat (TEST-1,TEST-1) source static any any no-proxy-arp route-lookup
nat (TEST-1,LAN_Secure) source static any any no-proxy-arp route-lookup
nat (TEST-1,LAN_Eng) source static any any no-proxy-arp route-lookup
nat (TEST-1,LAN_Callcentre) source static any any no-proxy-arp route-lookup
nat (TEST-1,LAN_ServerNET) source static any any no-proxy-arp route-lookup
nat (TEST-1,LAN_Backup) source static any any no-proxy-arp route-lookup
nat (TEST-1,LAN_RSAauth) source static any any no-proxy-arp route-lookup
nat (TEST-1,LAN_Mgmt) source static any any no-proxy-arp route-lookup
nat (TEST-1,LAN_Reg) source static any any no-proxy-arp route-lookup
nat (TEST-1,OUT) source static any any no-proxy-arp route-lookup
nat (TEST-1,Mgmt) source static any any no-proxy-arp route-lookup
!
!
access-list TEST-1_ACCESS_in remark Allow access to Splunk server
access-list TEST-1_ACCESS_in extended permit tcp any host host-pcn-splunk eq xxxx
access-list TEST-1_ACCESS_in extended permit ip any any
!
access-group TEST-1_ACCESS_in in interface TEST-1
!
######################################################################
08-12-2018 02:00 AM
08-12-2018 02:10 AM
Thanks Mohammed :)
Does it mean it will work as expected. ( it wont do address translation for any IP address for mapped interface )
Does it require as pre-upgrade NAT 0 or exempt NAT/ no NAT will not do address translation ?
08-12-2018 04:03 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide