Solved: ASA FW Conversion question

jcockburn · ‎10-24-2016

Hi All,

I know there are a couple of things that changes when you upgrade from 8.2 to anything above 8.2.

My question:

Is it really necessary to convert the nat 0 stuff?

My thoughts are that post 8.2 nothing is NAT'ed by default (NAT is not necessary), so if the routing is correct and there is an appropriate ACL traffic will flow. If I understand correctly nat0 was used to circumvent nat-control in the old days, because a NAT entry was necessary for the connection to be allowed.

So what am I missing here?

Can I ignore the nat0 stuff?

Please advise.

Ciao

JC

Pulkit Saxena · ‎10-27-2016

Hi JC,

When you upgrade from 8.2 to anything higher, NAT and ACL changes are important. Whatever you mentioned about (NAT 0) or nat exempt is pretty much correct because of the NAT control feature on old code.

However, (NAT 0) is also used for vpn traffic and that will be there on new codes as well.

Cisco always recommends to perform the upgrade on the box itself to the new version as it automatically converts the configuration for you and also provide the upgrade errors which one can look in and correct if required.

Let me know if you have any further query.

-

Pulkit

View solution in original post

James Leinweber · ‎11-01-2016

The big changes are NAT at 8.3 and v4/v6 ACL unification at 9.0.

If you have existing 8.2 nat stuff, the nat0 things probably should be translated to "phase I" twice NAT style, and any actual mappings to phase II object network NAT style.

If you have existing separate v6 access lists, as of 9.0 the keywords are "any4" for v4 any, "any6" for v6 any, and "any" for dual-stack v4+v6 in your new unified lists.

I endorse all of Mr. Saxena's advice.

-- Jim Leinweber, WI State Lab of Hygiene

View solution in original post

Pulkit Saxena · ‎10-27-2016

Hi JC,

When you upgrade from 8.2 to anything higher, NAT and ACL changes are important. Whatever you mentioned about (NAT 0) or nat exempt is pretty much correct because of the NAT control feature on old code.

However, (NAT 0) is also used for vpn traffic and that will be there on new codes as well.

Cisco always recommends to perform the upgrade on the box itself to the new version as it automatically converts the configuration for you and also provide the upgrade errors which one can look in and correct if required.

Let me know if you have any further query.

-

Pulkit

jcockburn · ‎11-02-2016

Hi Guys,

Thanks for the quick replies.

I agree with your responses.

Some points for comment please

I see when you do the 'wizard' upgrade from 8.2 to 8.3 the wizard (As well as FW conversion tool on fwm.cisco.com ) creates a lot of 'any' objects (any, any-01, any-02 etc) and onject nat's which actually screws up the operation of some connections. In our lab I have removed those and their nat statements and the connections seems to be OK.

I agree with the VPN stuff and you need to create nat's for any remote access vpn stuff.

Ciao

JC

Pulkit Saxena · ‎11-02-2016

Hi JC,

I do agree that a few extra statements are created but not necessarily the one which are not required. If you have manually taken care of that, nothing better than that.

Yes, as per your requirement, you will NAT for VPN and RAVPN.

-

Pulkit

James Leinweber · ‎11-01-2016

The big changes are NAT at 8.3 and v4/v6 ACL unification at 9.0.

If you have existing 8.2 nat stuff, the nat0 things probably should be translated to "phase I" twice NAT style, and any actual mappings to phase II object network NAT style.

If you have existing separate v6 access lists, as of 9.0 the keywords are "any4" for v4 any, "any6" for v6 any, and "any" for dual-stack v4+v6 in your new unified lists.

I endorse all of Mr. Saxena's advice.

-- Jim Leinweber, WI State Lab of Hygiene