Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1520
Views
0
Helpful
3
Replies

Cisco ASA 8.2 NAT Exempt migration to 9.9

drlbaluyut
Level 1
Level 1

‎01-11-2019 02:04 AM - edited ‎02-21-2020 08:39 AM

 

Sorry for my noob question, i have a config below from 8.2

 

access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.172.8.224 255.255.255.224 

nat (inside) 0 access-list NO-NAT

 

 

FW# packet-tracer input inside tcp 10.3.3.3 443 10.172.8.224 $

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.172.8.224 255.255.255.248 inside

Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

I'm currently converting the nat exempt configuration from 8.2 to post 8.3 (9.9)

 

Is my configuration below correct and what will be the sense of that config wherein it uses the same interface?

 

object network OBJ-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0
object network OBJ-10.172.8.224-27
subnet 10.172.8.224 255.255.255.224
nat (inside,inside) source static OBJ-10.0.0.0-8 OBJ-10.0.0.0-8 destination static OBJ-10.172.8.224-27 OBJ-10.172.8.224-27

 

Honestly i don't know if it's being used or not or the purpose of that config but i don't see any hitcounts

 

FW# sh access-list NO-NAT | i 10.172.8.224 255.255.255.224
access-list NO-NAT line 29 extended permit ip 10.0.0.0 255.0.0.0 10.172.8.224 255.255.255.224 (hitcnt=0) 0x43592b78

 

I'm just trying to migrate everything from 8.2 to post 8.3

0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎01-11-2019 02:30 AM

It´s been a while since I have worked with 8.2 but you could try to use the command show nat (use ? after nat to see if you can specify the IP or subnet).  If supported this will give you a hitcount on the NAT statment.

 

By the looks of it, this is a NAT for inter VLAN traffic since inside is specified as source and destination interface.  Are both these subnets on you LAN?  If so then this command is no longer needed.  In 8.2 you have a command nat-control which forces you to have NAT statements to allow traffic through the ASA.  As of 8.3 this is disabled by default and in newer versions it has been removed completely.  Check if nat-control is configured with show run nat-control and or show run | in nat-control

 

As for your converted nat configuration, this is correct.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

drlbaluyut
Level 1
Level 1
In response to Marius Gunnerud

‎01-11-2019 02:49 AM

Hi @Marius Gunnerud

 

I see that there's no hit count

 

FW# sh nat | beg 10.172.8.224
match ip inside 10.0.0.0 255.0.0.0 outside 10.172.8.224 255.255.255.224
NAT exempt
translate_hits = 0, untranslate_hits = 0

 

FW# sh run nat-control
no nat-control

 

Can you elaborate the use of nat-control in 8.2?

 

I think that the command is not needed, i'm just not sure why it was configured in the first place. 10.172.8.224 is on the internal LAN.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to drlbaluyut

‎01-14-2019 05:46 AM

If you have NAT-control enabled you are required to have NAT statements for all traffic passing though the ASA.  This was supposed to be an extra security feature.  I think it was in version 8.4 that this command was removed.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card