01-11-2019 02:04 AM - edited 02-21-2020 08:39 AM
Sorry for my noob question, i have a config below from 8.2
access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.172.8.224 255.255.255.224
nat (inside) 0 access-list NO-NAT
FW# packet-tracer input inside tcp 10.3.3.3 443 10.172.8.224 $
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.172.8.224 255.255.255.248 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I'm currently converting the nat exempt configuration from 8.2 to post 8.3 (9.9)
Is my configuration below correct and what will be the sense of that config wherein it uses the same interface?
object network OBJ-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0
object network OBJ-10.172.8.224-27
subnet 10.172.8.224 255.255.255.224
nat (inside,inside) source static OBJ-10.0.0.0-8 OBJ-10.0.0.0-8 destination static OBJ-10.172.8.224-27 OBJ-10.172.8.224-27
Honestly i don't know if it's being used or not or the purpose of that config but i don't see any hitcounts
FW# sh access-list NO-NAT | i 10.172.8.224 255.255.255.224
access-list NO-NAT line 29 extended permit ip 10.0.0.0 255.0.0.0 10.172.8.224 255.255.255.224 (hitcnt=0) 0x43592b78
I'm just trying to migrate everything from 8.2 to post 8.3
01-11-2019 02:30 AM
It´s been a while since I have worked with 8.2 but you could try to use the command show nat (use ? after nat to see if you can specify the IP or subnet). If supported this will give you a hitcount on the NAT statment.
By the looks of it, this is a NAT for inter VLAN traffic since inside is specified as source and destination interface. Are both these subnets on you LAN? If so then this command is no longer needed. In 8.2 you have a command nat-control which forces you to have NAT statements to allow traffic through the ASA. As of 8.3 this is disabled by default and in newer versions it has been removed completely. Check if nat-control is configured with show run nat-control and or show run | in nat-control
As for your converted nat configuration, this is correct.
01-11-2019 02:49 AM
I see that there's no hit count
FW# sh nat | beg 10.172.8.224
match ip inside 10.0.0.0 255.0.0.0 outside 10.172.8.224 255.255.255.224
NAT exempt
translate_hits = 0, untranslate_hits = 0
FW# sh run nat-control
no nat-control
Can you elaborate the use of nat-control in 8.2?
I think that the command is not needed, i'm just not sure why it was configured in the first place. 10.172.8.224 is on the internal LAN.
01-14-2019 05:46 AM
If you have NAT-control enabled you are required to have NAT statements for all traffic passing though the ASA. This was supposed to be an extra security feature. I think it was in version 8.4 that this command was removed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide