cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1313
Views
10
Helpful
12
Replies

Cisco ASA 5505 V8.3 NAT config

smith606306
Beginner
Beginner

                   Hi,

Can anyone tell me what the new command is for NAT in version 8.3?

The config i have is from Version 7.2 and doesnt work on 8.3

global (outside) 1 interface

nat (inside) 1 10.123.74.128 255.255.255.128

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 86.35.156.**

2 Accepted Solutions

Accepted Solutions

nkarthikeyan
Rising star
Rising star

object network outbound

subnet 10.123.74.128 255.255.255.128

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

So every traffc hits the fw will get translated to outside interface and goes out for internet

If you add the above nat statement on to your firewall.... you will get internet access....

I hope you have missed the access-group to bind the ACL to your interface....

Hope this helps

Regards

Karthik

View solution in original post

Hi,

"object network" cant contain 2 "subnet" statements. It can only hold one.

Furthermore specifying a specific network when you are also specifying "any" has no real use. Its just simpler to accept all source addresses OR specify all the source networks separately if you really want to control which network should hit the translation rule.

- Jouni

View solution in original post

12 Replies 12

Jouni Forss
Mentor
Mentor

Hi,

Basically the old NAT configuration already contains one useless line in it. It basically does Dynamic PAT and accepts any source address from the "inside" interface. If you want to follow that logic in the new software you can use

nat (inside,outside) after-auto source dynamic any interface

If you wanted to define the source addresses for the Dynamic PAT then you could use this variation of the configuration

object-group network DEFAULT-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

If you want to have a look at some information about the new 8.3+ NAT format have a look at the document I wrote here on the CSC

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

Remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

Many thanks

What I want to achieve is this

BT line ----------------ADSL modem (bridge mode)---------------------ASA

My config so far is below

Am i on the right track?

interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group PPPOE-GROUP
ip address pppoe setroute


!
interface Vlan325
nameif inside
security-level 100
ip address 10.123.74.254 255.255.255.128
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
description Outside interface to BT router
switchport access vlan 2
!
interface Ethernet0/2
description Inside interface to Core 2
switchport access vlan 325
!

vpdn group PPPOE-GROUP request dialout pppoe

vpdn group PPPOE-GROUP localname USERNAME

vpdn group PPPOE-GROUP ppp authentication pap

vpdn username USERNAME password PASSWORD store-local

!
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
access-list inside_mpc extended permit tcp any any eq 8080
access-list inside_mpc extended permit tcp any any eq www
access-list dhcp-acl extended permit udp any any range bootps bootpc
mtu outside 1492

mtu inside 1500

nat (inside,outside) after-auto source dynamic any interface

dhcpd dns 208.67.222.222 208.67.220.220
!
dhcpd address 10.123.74.130-10.123.74.239 inside
dhcpd enable inside
!

ntp server 150.101.254.110 source outside prefer

policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
  protocol-violation action drop-connection
match request method connect
  drop-connection log
class BlockDomainsClass
  reset log
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
  inspect ipsec-pass-thru
  inspect icmp
policy-map inside-policy
class httptraffic
  inspect http http_inspection_policy
!

Hi,

I dont see a problem with the configuration.

Though I have never had to configure the connection to Internet as you have done.

Your ASA should get the IP address from the ISP and also the default route from the looks of it.

The NAT configurations should be ok and work with the same logic as your previous Dynamic PAT configuration even though we made it simpler.

- Jouni

nkarthikeyan
Rising star
Rising star

object network outbound

subnet 10.123.74.128 255.255.255.128

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

So every traffc hits the fw will get translated to outside interface and goes out for internet

If you add the above nat statement on to your firewall.... you will get internet access....

I hope you have missed the access-group to bind the ACL to your interface....

Hope this helps

Regards

Karthik

Hi,

"object network" cant contain 2 "subnet" statements. It can only hold one.

Furthermore specifying a specific network when you are also specifying "any" has no real use. Its just simpler to accept all source addresses OR specify all the source networks separately if you really want to control which network should hit the translation rule.

- Jouni

Hi Jouni,

I agree with you... i have just converted wat he was requested.... but still he can have PAT translations seperately for specifc subnet and others.....

he just need to add the object-group instead of object....

or to make simple...

object network outbound

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

Thanks for notifying the mistake...

Regards

Karthik

Thanks.

are you talking about the ACL access-list inside_mpc ?

If so i havent assigned it to an interface

You dont need interface ACLs at this point.

When your interfaces dont have ACLs attached to them with the "access-group" command then the "security-level" value of the interface determines which traffic is allowed.

The default rule is that hosts behind the higher value interface can access anything behind a lower security level interface.

So as you can see the "inside" is 100 and the "outside" is 0. So hosts behind "inside" can connect anywhere on the "outside" without configuring any ACL on the interfaces.

If you need to restrict some traffic from "inside" to "outside" then you will need to confiure an interface ACL. Also if you were to allow traffic from "outside" to some server on the "inside" you would both need to configure Static PAT and allow the traffic on an ACL attached to the "outside" interface.

But at the moment you dont need to configure any ACLs to have Internet working.

- Jouni

i placed the BT router in bridge mode connected to the ASA but does not work.

I get the following message>

Failed to locate egress interface for UDP from inside:

Hi,

Sounds to me that the "outside" interface either doesnt have an IP address or there is just a routing problem?

You can use the command "show ip add" to view the IP addresses currently on the interfaces of the ASA

- Jouni

no it hasn/t got an ip address.

interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group PPPOE-GROUP
ip address pppoe setroute


!
interface Vlan325
nameif inside
security-level 100
ip address 10.123.74.254 255.255.255.128
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
description Outside interface to BT router
switchport access vlan 2
!
interface Ethernet0/2
description Inside interface to Core 2
switchport access vlan 325
!

vpdn group PPPOE-GROUP request dialout pppoe

vpdn group PPPOE-GROUP localname C****0@hgbtclick.com

vpdn group PPPOE-GROUP ppp authentication pap

vpdn username C****@hgbtclick.com password hanover1 store-local

should i change the ppp authentication to mschap?

!

Hi,

Are you saying that with "show ip add" command you dont see any IP address in the listing?

If there is, then check what the "show route" command output shows. You should have a default route towards the ISP.

I have no real idea about the configuration type you are using for the "outside" connection as I have never had to use it myself. I would imagine the needed information would be provided by the ISP.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers