Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
829
Views
0
Helpful
6
Replies

ASA 8.3(2)

eudechime
Level 1
Level 1

‎11-04-2013 09:13 PM - edited ‎03-11-2019 08:00 PM

I have ASA 5520 running 8.3.2 with the following interfaces. All that I need is the best practice so that host in each network can communicate to other networks vise-versa. I want the networks to communicate bidirectional to each other. And the users in the internal network be able to reach all the networks. No port restriction at this point and all communication is network based not specific server or users for testing purposes.

                                          | 10.10.21.0/24 network

                                          |

      level 0  Outside              |      

                                          |

                                          | 10.10.20.5/24             level 75    Inter               Internal network

                                          --------------------------- 10.10.25.6/24 ---------- 192.168.50.0/24

                                          |192.168.46.5/24

          Inside Level 100        |

                                          |

                                          |

                                          | 192.168.26.0/24

 

int g0/0

Nameif Outside

security level 0

Ip adress 10.10.20.5/24

Int g0/1

Nameif Inside

security level 100

IP address 192.168.46.5/24

Int g0/2

nameif Internal

Ip address 10.10.25.6/24

route 0 0 10.10.20.4

route 10.10.21.0 255.255.255.0 10.10.21.4

route 192.168.50.0 255.255.255.0 192.168.50.4

What is the best practice to create a generic communication between the networks, Nat exempt or Manual NAT?:

object network <inside-object>

subnet 192.168.46.0 255.255.255.0

object network <destination-object>

subnet 10.10.20.0 255.255.255.0

nat (any,any) source static inside inside destination static Outside Outside

nat (<source interface>,<destination interface>) source static <inside-object> <inside-object> destination <destination-object> <destination-object>

object network <Outside-object>

subnet 10.10.20.0 255.255.255.0192

object network <destination-object>

subnet 192.168.46.0 255.255.255.0

nat (any,any) source static Outside Outside destination static inside inside

nat (<source interface>,<destination interface>) source static <inside-object> <inside-object> destination <destination-object> <destination-object>

Labels:
0 Helpful
6 Replies 6

jumora
Level 7
Level 7

‎11-04-2013 09:54 PM

You actually don´t need NAT, on OS version 8.3 or prior NAT control does not exist.

enable

config t

Clear config NAT

Routing between interfaces would be based on security levels, so for traffic to route from a higher security level interface to a lower security level interface there is an implicit allow and from lower security interface to higher there is an implicit deny.

If you are not filtering any traffic all you need to configure are the next rules:

access-list internal permit ip any any

access-group internal in interface Internal

access-list outside permit ip any any

access-group outside in interface outside

Make sure that you configure the security level on the interface that you named Internal to the security level that you placed on the diagram (security-level 75).

Value our effort and rate the assistance!
0 Helpful

jumora
Level 7
Level 7
In response to jumora

‎11-06-2013 03:52 PM

Do you still need assistance?

Please rate the assistance.

Value our effort and rate the assistance!
0 Helpful

eudechime
Level 1
Level 1
In response to jumora

‎11-07-2013 07:11 AM

Hi Jumora,

I was trying to do something different in case I want to NAT traffic on 8.3.2, but you pointed me to the right direction that no NAT feature on 8.3 version. I am still researching on how I can NAT if I want to on version 8.3.

0 Helpful

jumora
Level 7
Level 7
In response to eudechime

‎11-07-2013 11:18 AM

Here are NAT configuration examples on 8.3:

https://supportforums.cisco.com/docs/DOC-9129

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html#wp1074591

Let me know if you still need any assistance or you need to clear out any doubts.

Value our effort and rate the assistance!
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to eudechime

‎11-07-2013 04:45 PM

Hello Eudechime,

I talk about 8.3, the migration, the best practices before and after the upgrade, the changes on the configuration (NAT, ACL) , new features, etc, on one of my blog posts.

Take a look at it and then try to build your NAT statement.

Afterwards put it here that we will make it rigth for you (If needed)

http://www.laguiadelnetworking.com/asa-8-3-upgrade-new-features-known-issues-best-practicesetc/

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

jumora
Level 7
Level 7
In response to Julio Carvajal

‎11-09-2013 09:29 PM

Please rate our assistance.

Value our effort and rate the assistance!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card