ASA 8.2 to 8.6 Need some help!

bsoth · ‎02-12-2014

We have the asa 5510 v 8.2- We are now migrating to the 5515- I had a few questions in hopes someone out there can help me understand this:

We have a 5515 Sec Plus firewall- Is this the same as the 5515-X? I see nothing in the sh ver that indicates this is a X version. I also see no mention of a non X 5515 firewall. at thsi point I have to assume that the 5515 is inclusive of the " Next-Gen" class. Am I correct?

second: NAT differences:

From what I knew about NAT in the 8.2 and below ASA, A Global Nat entry like this:

Global (Outside) 1 Interface would mean NAT anything on the Inside network and PAT it to the IP address of the outside interface. The 1 in there is a reference to the something like a priority or just a simple reference for an ACL??

NAT 0 means its not to be NAT'd

anything higher than 0 is used as a reference- So my question is this:

If I have a NAT entry like this:

nat (inside) 4 access-list inside_nat_outbound

would this be used in this Global NAT entry: global (outside) 4 xx.xx.xx.xx netmask xx.xx.xx.xx ??

Just trying to get the 2 straight in my head

Thanks!

jpeterson6 · ‎02-12-2014

ASA 55x5 models are all "X" models (5515X, 5525X, etc).

NAT syntax is COMPLETELY different now in 8.3+ versions. The documentation that I initially used to start learning is

https://supportforums.cisco.com/docs/DOC-12690

It would be much faster for you to read that than it would be to come up with an understandable explanation for you here, but I'll answer any questions you have after reading it

Hope that helps.

bsoth · ‎02-12-2014

Thanks. I was merely looking for a explanation of the old global command as I need to fully understand all the Natting that has to happen in the new firewall. Im a new employee walking into this and I see what I think are descrepancies that noone here can confirm...so I am reaching out to see if I can get help in understanding this a bit more. Has seen a few useful docs, including this one.

IF you look at this:

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 209.165.201.254

I just want to know for sure that the first line is the ACL that is referenced by 1 (Basically defines the inside source subnet)

I see a Global command like this in my 8.2 FW:

global (outside) 3 netmask 255.0.0.0

I dont see any acl that is referencing 3 anywhere. Can I assume that its not in use?

jpeterson6 · ‎02-12-2014

The "3" in "global (outside) 3" doesn't reference an ACL. It's simply an arbitrary number used to group the globals with the nats. It's NOT to be considered a priority, either. The group "1" has no priority over "2".

That's the purpose of the "1" in your example above

So...

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 209.165.201.254

Means that the local/real IPs from the 'inside' interface translate from 10.1.1.0/24 to 209.165.201.254 when they are NAT'd to the 'outside' interface.