Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7472
Views
0
Helpful
5
Replies

ASA NAT 8.x to 8.4 conversion - URGENT

Tim Lewis
Level 1
Level 1

‎06-14-2011 02:12 PM - edited ‎03-11-2019 01:45 PM

I have 8.2 configuration that works:

global (inside) 1 192.168.1.1

nat (outside) 1 access-list Servers outside

static (inside,outside) 10.16.0.0 10.1.0.0 netmask 255.255.0.0

static (inside,outside) 10.17.0.0 10.2.0.0 netmask 255.255.0.0

static (inside,outside) 10.18.0.0 10.11.0.0 netmask 255.255.0.0

static (inside,outside) 10.19.0.0 10.12.0.0 netmask 255.255.0.0

static (outside,inside) 192.168.1.1  39.39.39.15 netmask 255.255.255.255

ACL Servers has only two hosts:

39.39.39.15

39.39.39.16

It is remote monitoring ASA, so I need to nat user networks (10.1.x.y, 10.2.x.y) to something that I can use (10.16.x.y, 10.17.x.y...)

Also, since it my device, I have them configure snmp and syslog server on client's network to use 192.168.1.1, so I have dynamic NAT for two SNMP servers and static NAT for one of them (which is syslog server).

Can someone please create 8.4 version, so I can apply it? I tried few things, packet tracer shows that they are NATed, but I have only Denc packets, because hosts see request coming from my public IP...

Thank you.

Labels:
0 Helpful
5 Replies 5

andamani
Cisco Employee
Cisco Employee

‎06-14-2011 05:32 PM

Hi,

Can you try the conversion with the help of the following document:

https://supportforums.cisco.com/docs/DOC-9129

Hope this helps.

Regards,

Anisha

P.S.:please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

Tim Lewis
Level 1
Level 1
In response to andamani

‎06-14-2011 08:09 PM

Hi Anisha,

honestly, doesn't help much. I configured lot of 8.3 and 8.4 NAT, so I am very familiar with documents and procedures, here is very specific example, we are using twice NAT, so it could be that order of operations are changed, or something similar.

I need very precise info.

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to Tim Lewis

‎06-14-2011 09:32 PM

can you give us more clarity on the issue, r you looking for the commands or you already have the commands and they r not working? if so please paste the nat rules you have with the requirement so that we can see wht is going on

as far as what has changed, other than the syntax the main diff is that we check the nat first then acl hence the need to allow real ip in acl for static nat

0 Helpful

varrao
Level 10
Level 10

‎06-15-2011 10:58 AM

Hi Mile,

If you are looking for corresponding nat commands to the ones that you have pasted, they are as follows:

object network 10.16.0.0_network

subnet 10.16.0.0 255.255.0.0

object network 10.1.0.0_network

subnet 10.1.0.0 255.255.0.0

object network 10.17.0.0_network

subnet 10.17.0.0 255.255.0.0

object network 10.2.0.0_network

subnet 10.2.0.0 255.255.0.0

object network 10.18.0.0_network

subnet 10.18.0.0 255.255.0.0

object network 10.19.0.0_network

subnet 10.19.0.0 255.255.0.0

object network 10.11.0.0_network

subnet 10.11.0.0 255.255.0.0

object network 10.12.0.0_network

subnet 10.12.0.0 255.255.0.0

So the corresponsing nat commands for static would be:

nat (outside,inside) source static any any destination static 10.16.0.0_network 10.1.0.0_network

nat (outside,inside) source static any any destination static 10.17.0.0_network 10.2.0.0_network

nat (outside,inside) source static any any destination static 10.18.0.0_network 10.11.0.0_network

nat (outside,inside) source static any any destination static 10.19.0.0_network 10.12.0.0_network

And for the last static command:

object network private_ip

host 192.168.1.1

object network public_ip

host 39.39.39.15

nat (inside,outside) source static any any destination static private_ip public_ip

The first two nat commands doesn't seem right to me, could you verify whether this is wat you had earlier????

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Anukalp S
Level 1
Level 1
In response to varrao

‎02-01-2013 08:14 AM

Hi..I am also in phase of migrating software from 8.2 to 8.4. I am facing  issues while changing below config in 8.4. Could anyone pls helpout.

access-list www_http extended permit tcp host 192.168.183.202 any eq www
access-list www_http extended permit tcp host 192.168.183.202 any eq https
access-list www_http extended permit tcp host 192.168.183.196 any eq www
access-list www_http extended permit tcp host 192.168.183.196 any eq https

nat (inside) 3 access-list www_http

global (outside) 3 61.144.128.140 netmask 255.255.255.255

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card