cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1593
Views
4
Helpful
6
Replies

Cisco ASA 5512 IOS 9.1 NAT exemption translation from IOS 8.0

I currently have a Cisco ASA 5512 that I am configuring based off an old ASA. The ASA I am configuring is using IOS version 9.1.2 and ASMD version 7, the old ASA is using IOS 8.0 and ASDM 6.3. I was wonding how to translate their current NAT exemption statements to the new 9.1.2 statements:

nat (Private) 0 access-list Private_nat0_outbound

nat (management) 0 0.0.0.0 0.0.0.0

How would this look in IOS version 9.1.2

Thanks!

1 Accepted Solution

Accepted Solutions

Hi,

For that the configuration would be

object network SOURCE

subnet 136.223.0.0 255.255.240.0

object-group network DESTINATION

network-object 136.223.16.0 255.255.248.0

network-object 141.254.0.0 255.255.0.0

nat (Private,) source static SOURCE SOURCE destination static DESTINATION DESTINATION

You should add the destination interface to the above configuration. This you can determine according to the current routing table.

You can naturally change the "object" and "object-group" name to better describe the networks. I just used simple names to describe their use.

Again, I am not sure about the "management". You might not need any "nat" configurations for it if it doesnt have any other configurations in the old configuration than the one mentioned above.

- Jouni

View solution in original post

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Without seeing the actual "access-list" used in the configuration we can't give an exact answer.

The general format is this

object network SOURCE

subnet

object network DESTINATION

subnet

nat (sourceint,destint) source static SOURCE SOURCE destination static DESTINATION DESTINATION

Is the interface "management" NAT configuration above the only NAT configuration for that interface? If so you most likely wont need any NAT configurations in the new software for that interface.

Hope this helps

- Jouni

My apologies Jouni, here is a bit more information that might help with this question:

access-list Private_nat0_outbound extended permit ip 136.223.0.0 255.255.240.0 136.223.16.0 255.255.248.0

access-list Private_nat0_outbound extended permit ip 136.223.0.0 255.255.240.0 141.254.0.0 255.255.0.0

nat (Private) 0 access-list Private_nat0_outbound

nat (management) 0 0.0.0.0 0.0.0.0

Hi,

For that the configuration would be

object network SOURCE

subnet 136.223.0.0 255.255.240.0

object-group network DESTINATION

network-object 136.223.16.0 255.255.248.0

network-object 141.254.0.0 255.255.0.0

nat (Private,) source static SOURCE SOURCE destination static DESTINATION DESTINATION

You should add the destination interface to the above configuration. This you can determine according to the current routing table.

You can naturally change the "object" and "object-group" name to better describe the networks. I just used simple names to describe their use.

Again, I am not sure about the "management". You might not need any "nat" configurations for it if it doesnt have any other configurations in the old configuration than the one mentioned above.

- Jouni

Jouni,

Thank you very much for the information, the configuration that you stated above worked. As far as management goes, I remember with 9.1.2 I do not have to specifiy "management" NAT statement. I know how to do this now on future statements when configuring NAT. Thanks for your help!

Hi,

Glad to hear it worked

- Jouni

I know this is quite old but i ran into the same problem and i think i should post my resolution as found on this this link

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#pgfId-1176608

It says "NAT is not required. If you do not configure NAT for a given set of traffic, that traffic will not be translated, but will have all of the security policies applied as normal"

I think this feature starts from 9.1

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: