09-22-2014 06:44 PM - edited 03-11-2019 09:48 PM
Hi All,
Please correct me If I am wrong. I am upgrading from 8.0 to 8.4.
One of my customer has nat rules in 8.0 as below
For all the access lists for below they used permit ip any any
nat (inside) 0 access-list xxxxx
nat (outside) 0 access-list xxxx outside
nat (outside100) 0 access-list xxxx outside
nat (inside) 12 0.0.0.0 0.0.0.0
global (outside) 12 interface
After the upgrade
I see the rules as below (omitted other rules)
1)nat (inside,any) source static any any no-proxy-arp route-lookup
2)object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any
nat (inside,outside) dynamic interface
1)According to my understanding, this rule "1" will be placed first(Section 1) and hence there will be no nat going on when the customer is going from inside interface to outside. Is that correct?
2)Can i safely remove all those rules like "1" since they are of no use as only NAT that should be happening is between inside and outside interface?
Ofcourse, I do not think the access list should be permit ip any any in the first case, but this is the customer current config.
Thanks for the advise.
09-22-2014 08:43 PM
Hi Rakesh ,
nat (inside) 0 access-list xxxxx
For above NAT 0 statement , below is modified NAT rule .
1)nat (inside,any) source static any any no-proxy-arp route-lookup
Check this NAT 0 statement is called on for any VPN Access or for Internal user Access . If you haven't used any were you can remove this NAT statement .
2)Can i safely remove all those rules like "1" since they are of no use as only NAT that should be happening is between inside and outside interface? : If you have only two interface on ASA appliance , then your statement is correct , if you have multiple interface this NAT 0 applicable for all interface on your ASA for traffic originating from inside interface.
Share me your ASA code 8.0 running config to check where NAT 0 statement is associated with any other access ..
HTH
Sandy
09-22-2014 10:56 PM
Hi Sandy,
Below is the config in the old version.
Access-list is to match all.
nat (inside) 12 0.0.0.0 0.0.0.0
global (outside) 12 interface
nat (inside) 0 access-list xxxxx
nat (outside) 0 access-list xxxx outside
Don't they contradict each other. I feel the config is wrong as the access list be some defined addresses.
Please advise
Thanks
09-22-2014 11:31 PM
Hi
nat (inside) 0 access-list xxxxx
What is your access-list xxxx ??
Can you share me your ASA config .
HTH
Sandy
09-23-2014 12:01 AM
Hi Sandy,
Sorry due to security issue I cannot share the config.
Access list is permit ip any any.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: