ASA pre 8.3 code same Src and Dst Natting subnets and hosts

abideen.shaikh1 · ‎03-11-2023

Hi All,

I would like to ask a question regarding an upgrade of ASA code from pre 8.3 to post 8.3 config coversion.

I have many NAT statements which are self Natting below is the example. Can they be removed before converting the config to 8.3+ version or should they be retained? It doesnt seem like they are doing any real natting.

static (interface-1,interface-2) 1.1.1.1 1.1.1.1 netmask 255.255.255.255
static (interface-1,interface-2) 2.2.2.2 2.2.2.2 netmask 255.255.255.255

Any help would be appreciated.

MHM Cisco World · ‎03-11-2023

show nat detail <<- check if this NAT have hit traffic or not

abideen.shaikh1 · ‎03-11-2023

translate_hits = 335003, untranslate_hits = 1569127

translate_hits = 351204, untranslate_hits = 1763292

Seems like there are translated and untranslated hits.

MHM Cisco World · ‎03-11-2023

so this nat is active and use.

abideen.shaikh1 · ‎03-11-2023

is it enough to use below syntax on 8.3+ version without making any change in ACL?

object network OBJ-1.1.1.1
host 1.1.1.1
object network OBJ-1.1.1.1
host 1.1.1.1
nat (interface-1,interface-2) source static OBJ-1.1.1.1 OBJ-1.1.1.1

object network OBJ-2.2.2.2
host 2.2.2.2
object network OBJ-2.2.2.2
host 2.2.2.2
nat (interface-1,interface-2) source static OBJ-2.2.2.2 OBJ-2.2.2.2

MHM Cisco World · ‎03-11-2023

You meaning add static NAT and it effect to ACL you apply ?
if Yes
then there is some change between pre and post 8.3
https://community.cisco.com/t5/network-security/asa-8-3-real-ip-address-in-acl/td-p/1864249