05-30-2013 02:02 AM - edited 03-11-2019 06:51 PM
Hi,
Can anyone tell me what the new command is for NAT in version 8.3?
The config i have is from Version 7.2 and doesnt work on 8.3
global (outside) 1 interface
nat (inside) 1 10.123.74.128 255.255.255.128
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 86.35.156.**
Solved! Go to Solution.
05-30-2013 03:50 AM
object network outbound
subnet 10.123.74.128 255.255.255.128
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
So every traffc hits the fw will get translated to outside interface and goes out for internet
If you add the above nat statement on to your firewall.... you will get internet access....
I hope you have missed the access-group to bind the ACL to your interface....
Hope this helps
Regards
Karthik
05-30-2013 03:54 AM
Hi,
"object network" cant contain 2 "subnet" statements. It can only hold one.
Furthermore specifying a specific network when you are also specifying "any" has no real use. Its just simpler to accept all source addresses OR specify all the source networks separately if you really want to control which network should hit the translation rule.
- Jouni
05-30-2013 02:52 AM
Hi,
Basically the old NAT configuration already contains one useless line in it. It basically does Dynamic PAT and accepts any source address from the "inside" interface. If you want to follow that logic in the new software you can use
nat (inside,outside) after-auto source dynamic any interface
If you wanted to define the source addresses for the Dynamic PAT then you could use this variation of the configuration
object-group network DEFAULT-PAT-SOURCE
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
network-object 10.10.30.0 255.255.255.0
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
If you want to have a look at some information about the new 8.3+ NAT format have a look at the document I wrote here on the CSC
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
Remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
05-30-2013 03:23 AM
Many thanks
What I want to achieve is this
BT line ----------------ADSL modem (bridge mode)---------------------ASA
My config so far is below
Am i on the right track?
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group PPPOE-GROUP
ip address pppoe setroute
!
interface Vlan325
nameif inside
security-level 100
ip address 10.123.74.254 255.255.255.128
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
description Outside interface to BT router
switchport access vlan 2
!
interface Ethernet0/2
description Inside interface to Core 2
switchport access vlan 325
!
vpdn group PPPOE-GROUP request dialout pppoe
vpdn group PPPOE-GROUP localname USERNAME
vpdn group PPPOE-GROUP ppp authentication pap
vpdn username USERNAME password PASSWORD store-local
!
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
access-list inside_mpc extended permit tcp any any eq 8080
access-list inside_mpc extended permit tcp any any eq www
access-list dhcp-acl extended permit udp any any range bootps bootpc
mtu outside 1492
mtu inside 1500
nat (inside,outside) after-auto source dynamic any interface
dhcpd dns 208.67.222.222 208.67.220.220
!
dhcpd address 10.123.74.130-10.123.74.239 inside
dhcpd enable inside
!
ntp server 150.101.254.110 source outside prefer
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class BlockDomainsClass
reset log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect ipsec-pass-thru
inspect icmp
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
!
05-30-2013 03:53 AM
Hi,
I dont see a problem with the configuration.
Though I have never had to configure the connection to Internet as you have done.
Your ASA should get the IP address from the ISP and also the default route from the looks of it.
The NAT configurations should be ok and work with the same logic as your previous Dynamic PAT configuration even though we made it simpler.
- Jouni
05-30-2013 03:50 AM
object network outbound
subnet 10.123.74.128 255.255.255.128
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
So every traffc hits the fw will get translated to outside interface and goes out for internet
If you add the above nat statement on to your firewall.... you will get internet access....
I hope you have missed the access-group to bind the ACL to your interface....
Hope this helps
Regards
Karthik
05-30-2013 03:54 AM
Hi,
"object network" cant contain 2 "subnet" statements. It can only hold one.
Furthermore specifying a specific network when you are also specifying "any" has no real use. Its just simpler to accept all source addresses OR specify all the source networks separately if you really want to control which network should hit the translation rule.
- Jouni
05-30-2013 04:02 AM
Hi Jouni,
I agree with you... i have just converted wat he was requested.... but still he can have PAT translations seperately for specifc subnet and others.....
he just need to add the object-group instead of object....
or to make simple...
object network outbound
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
Thanks for notifying the mistake...
Regards
Karthik
05-30-2013 04:18 AM
Thanks.
are you talking about the ACL access-list inside_mpc ?
If so i havent assigned it to an interface
05-30-2013 04:39 AM
You dont need interface ACLs at this point.
When your interfaces dont have ACLs attached to them with the "access-group" command then the "security-level" value of the interface determines which traffic is allowed.
The default rule is that hosts behind the higher value interface can access anything behind a lower security level interface.
So as you can see the "inside" is 100 and the "outside" is 0. So hosts behind "inside" can connect anywhere on the "outside" without configuring any ACL on the interfaces.
If you need to restrict some traffic from "inside" to "outside" then you will need to confiure an interface ACL. Also if you were to allow traffic from "outside" to some server on the "inside" you would both need to configure Static PAT and allow the traffic on an ACL attached to the "outside" interface.
But at the moment you dont need to configure any ACLs to have Internet working.
- Jouni
05-31-2013 07:18 AM
i placed the BT router in bridge mode connected to the ASA but does not work.
I get the following message>
Failed to locate egress interface for UDP from inside:
05-31-2013 07:22 AM
Hi,
Sounds to me that the "outside" interface either doesnt have an IP address or there is just a routing problem?
You can use the command "show ip add" to view the IP addresses currently on the interfaces of the ASA
- Jouni
05-31-2013 07:37 AM
no it hasn/t got an ip address.
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group PPPOE-GROUP
ip address pppoe setroute
!
interface Vlan325
nameif inside
security-level 100
ip address 10.123.74.254 255.255.255.128
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
description Outside interface to BT router
switchport access vlan 2
!
interface Ethernet0/2
description Inside interface to Core 2
switchport access vlan 325
!
vpdn group PPPOE-GROUP request dialout pppoe
vpdn group PPPOE-GROUP localname C****0@hgbtclick.com
vpdn group PPPOE-GROUP ppp authentication pap
vpdn username C****@hgbtclick.com password hanover1 store-local
should i change the ppp authentication to mschap?
!
05-31-2013 07:41 AM
Hi,
Are you saying that with "show ip add" command you dont see any IP address in the listing?
If there is, then check what the "show route" command output shows. You should have a default route towards the ISP.
I have no real idea about the configuration type you are using for the "outside" connection as I have never had to use it myself. I would imagine the needed information would be provided by the ISP.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide