cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1105
Views
0
Helpful
6
Replies

ASA 8.3(2)

eudechime
Level 1
Level 1

I have ASA 5520 running 8.3.2 with the following interfaces. All that I need is the best practice so that host in each network can communicate to other networks vise-versa. I want the networks to communicate bidirectional to each other. And the users in the internal network be able to reach all the networks. No port restriction at this point and all communication is network based not specific server or users for testing purposes.

                                          | 10.10.21.0/24 network

                                          |

      level 0  Outside              |      

                                          |

                                          | 10.10.20.5/24             level 75    Inter               Internal network

                                          --------------------------- 10.10.25.6/24 ---------- 192.168.50.0/24

                                          |192.168.46.5/24

          Inside Level 100        |

                                          |

                                          |

                                          | 192.168.26.0/24

 

int g0/0

Nameif Outside

security level 0

Ip adress 10.10.20.5/24

Int g0/1

Nameif Inside

security level 100

IP address 192.168.46.5/24

Int g0/2

nameif Internal

Ip address 10.10.25.6/24

route 0 0 10.10.20.4

route 10.10.21.0 255.255.255.0 10.10.21.4

route 192.168.50.0 255.255.255.0 192.168.50.4

What is the best practice to create a generic communication between the networks, Nat exempt or Manual NAT?:

object network <inside-object>

subnet 192.168.46.0 255.255.255.0

object network <destination-object>

subnet 10.10.20.0 255.255.255.0

nat (any,any) source static inside inside destination static Outside Outside

nat (<source interface>,<destination interface>) source static <inside-object> <inside-object> destination <destination-object> <destination-object>

object network <Outside-object>

subnet 10.10.20.0 255.255.255.0192

object network <destination-object>

subnet 192.168.46.0 255.255.255.0

nat (any,any) source static Outside Outside destination static inside inside

nat (<source interface>,<destination interface>) source static <inside-object> <inside-object> destination <destination-object> <destination-object>

6 Replies 6

jumora
Level 7
Level 7

You actually don´t need NAT, on OS version 8.3 or prior NAT control does not exist.

enable

config t

Clear config NAT

Routing between interfaces would be based on security levels, so for traffic to route from a higher security level interface to a lower security level interface there is an implicit allow and from lower security interface to higher there is an implicit deny.

If you are not filtering any traffic all you need to configure are the next rules:

access-list internal permit ip any any

access-group internal in interface Internal

access-list outside permit ip any any

access-group outside in interface outside

Make sure that you configure the security level on the interface that you named Internal to the security level that you placed on the diagram (security-level 75).

Value our effort and rate the assistance!

Do you still need assistance?

Please rate the assistance.

Value our effort and rate the assistance!

Hi Jumora,

I was trying to do something different in case I want to NAT traffic on 8.3.2, but you pointed me to the right direction that no NAT feature on 8.3 version. I am still researching on how I can NAT if I want to on version 8.3.

Here are NAT configuration examples on 8.3:

https://supportforums.cisco.com/docs/DOC-9129

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html#wp1074591

Let me know if you still need any assistance or you need to clear out any doubts.

Value our effort and rate the assistance!

Hello Eudechime,

I talk about 8.3, the migration, the best practices before and after the upgrade, the changes on the configuration (NAT, ACL) , new features, etc, on one of my blog posts.

Take a look at it and then try to build your NAT statement.

Afterwards put it here that we will make it rigth for you (If needed)

http://www.laguiadelnetworking.com/asa-8-3-upgrade-new-features-known-issues-best-practicesetc/

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Please rate our assistance.

Value our effort and rate the assistance!
Review Cisco Networking for a $25 gift card