cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1983
Views
0
Helpful
5
Replies

ASA Nat 8.2 to 8.6 migration....

farooq.khan
Level 1
Level 1

Hi guys,

need lil guidance or pointing in right direction. we have upgraded 8.2 to 8.6 and i am having lil issue in changing nat syntax .....Firewall with 8.2 has few exemption rules configured, below is my config on 8.6 for exempting vpn traffic for both side.

8.6 code

(inside) to (outside) source static 0bj192.168.1.0 obj192.168.1.0   destination static ENVISAGE ENVISAGE

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 192.168.1.0/16, Translated: 192.168.1.0/16

    Destination - Origin: 10.204.0.0/16, Translated: 10.204.0.0/16

Below rule on 8.6  I  have used for exemption if any traffic from inside  is destined for 10.104.0.0 subnet.

(inside) to (any) source static any any   destination static NET-10.104.100.0 NET-10.104.100.0

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0

    Destination - Origin: 10.104.100.0/26, Translated: 10.104.100.0/26

iam sure syntax is righ but worth double checking.....

Also I cant figure out what is code for dynamic policy nat

Scenario is I have a rule configured if traffic is coming from inside ( subnet specified ) and going to dest ( specified subnet lets say B) use outside interface public ip.

Source A on inside going to source B Use public ip address. Since source B is multiple subnets some kind of access rule needs to be defined and then linked with NAT, and i have dynamic nat rule configured in 8.2 on inside inteface with source any destination not specified and translated section interface is inside and address is inside to not sure how am i gina achieve same in 8.6... in 8.2 inside name pool exsist too.. any help ? cheers

1 Accepted Solution

Accepted Solutions

Hi,

Well with the Dynamic and Static you can think of the 8.2 format.

You used "global" and "nat" for Dynamic translations where you for example translated multiple addresses only to a single IP address or a pool of addresses. So you use the "dynamic" keyword/parameter in the "nat" statement if you are configuring such a translation.

You used "static" for Static translations between single hosts or single networks. You also used them to forward certain ports. So when you want to map a single address/network to another address/network (or even to itself incase of Identity NAT and NAT0) then you use "static". The "destination" can ONLY be "static" as in "destination static"

Both of the above could also be configured as Policy NAT/PAT versions by defining the rules with an ACL. In the new format the ACL has simply been replaced by "object" and "object-group" and they are used in the source/destination fields of the "nat" configurations.

For the 8.2 format configuration that is specifically causing confusion for you, I would have to see that one.

Can you post that specific configuration (with ACLs if used) here on the forum.

- Jouni

View solution in original post

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

It would be easier to help you if you for example provided the original 8.2 software version NAT configurations you had. You can naturally use fake IP addresses in the place of the real ones.

I can then provide the corresponding 8.3+ format NAT configurations.

One very important thing to notice also is that while your new NAT configurations might be correct in some cases, there is still a chance that the NAT ordering will prevent the operation of some NAT rules.

- Jouni

Hi Thanks for responce , please check configs...

Hi,

I am not sure which NAT configuration was the one you had problem with.

You did mention that you were wondering how a Policy NAT would be configured where we for example had a certain source LAN network which was connecting to some REMOTE network and that traffic needed to use the interface IP address of the "outside".

The configuration would look a lot like the NAT0 / NAT Exempt you have. By the way, you have used the "show nat" command above while the output of "show run nat" would show the actual configuration format. Then again it wouldnt show the networks/addresses of the NAT configurations like the above.

So here is one example

  • Source network 10.10.10.0/24
  • Destination network 192.168.10.0/24
  • Translate to "outside" interface IP address with Dynamic PAT

object network LAN

subnet 10.10.10.0 255.255.255.0

object network REMOTE

subnet 192.168.10.0 255.255.255.0

nat (inside,outside) source dynamic LAN interface destination static REMOTE REMOTE

or

nat (inside,outside) after-auto source dynamic LAN interface destination static REMOTE REMOTE

So in the above we can see that

  • We are doing NAT between "inside" and "outside"
  • The Real Source is defined under "object network LAN"
  • The Mapped Source is defined with the use of parameter "interface" which tells the ASA to map the source addresses to the "outside" interface in this case
  • The destination parameters tells us that this NAT only applies to traffic destined for the network under "object network REMOTE". And because both the Real and Mapped destination address is the same then there is no translation for the destination network.

If you let say had multiple source and destination networks then you could do this

object-group network LAN

subnet 10.10.10.0 255.255.255.0

subnet 10.10.20.0 255.255.255.0

object-group network REMOTE

subnet 192.168.10.0 255.255.255.0

subnet 192.168.20.0 255.255.255.0

nat (inside,outside) source dynamic LAN interface destination static REMOTE REMOTE

or

nat (inside,outside) after-auto source dynamic LAN interface destination static REMOTE REMOTE

So basically you would need to use "object-group network" instead of "object network". The simple reason is the fact that an "object network" can only handle a single subnet/host/range configuration WHILE the "object-group network" can hold several network/host addresses.

The "after-auto" option for both above examples is just a parameter that would move this NAT rule to a lower priorty where it wouldnt override possible Static NAT configurations and such. Without the parameter it might override other NAT configurations.

I would suggest avoid using "any" in the new NAT format configuration much. This might cause problems with the firewalls traffic forwarding. I'd rather specify the source networks under an "object-group network" instead of using "any"

- Jouni

Hi thanks alot but i think i did it same way yourself advised ...mine is after object manueal nat

(inside) to (outside) source dynamic 10subnet translatedtopublicsubnet   destination static dest1 dest1

....thanks for advise on any i will start triming it down ....but real issue iam having is to figure out two things....where do we use static and where dynamic as to exempt vpn subnets from nat we used static sinc eit was whole subnet range i was expacing dynamic to be used ?.. and also i have rule in 8.2 on inisde interface which is dynmic  with source any dest nothing and then translated section under interface its inside and under address its inside...very next rule on inside interface is almost same with source any destination nothing translated outside and address outside....not sure wt tis means...is its saying evefrything elese coming from inside to outside translate it to outside intreface lil confuse about both rule...cheers

Hi,

Well with the Dynamic and Static you can think of the 8.2 format.

You used "global" and "nat" for Dynamic translations where you for example translated multiple addresses only to a single IP address or a pool of addresses. So you use the "dynamic" keyword/parameter in the "nat" statement if you are configuring such a translation.

You used "static" for Static translations between single hosts or single networks. You also used them to forward certain ports. So when you want to map a single address/network to another address/network (or even to itself incase of Identity NAT and NAT0) then you use "static". The "destination" can ONLY be "static" as in "destination static"

Both of the above could also be configured as Policy NAT/PAT versions by defining the rules with an ACL. In the new format the ACL has simply been replaced by "object" and "object-group" and they are used in the source/destination fields of the "nat" configurations.

For the 8.2 format configuration that is specifically causing confusion for you, I would have to see that one.

Can you post that specific configuration (with ACLs if used) here on the forum.

- Jouni

Review Cisco Networking for a $25 gift card