06-11-2013 12:48 PM - edited 03-11-2019 06:56 PM
Hi, Can any one who has migrated from pre 8.3 to post 8.3 help me translate below config to post 8.3 please?
i am kind of stuck in it , i know object groups will remain same, just need conversion of below ACL. thank youin advance
nat (inside) 1 access-list NAT
global (outside) 1 8.233.146.17 netmask 255.255.255.255
access-list NAT extended permit ip object-group NAT-Permits any
access-list NAT extended permit ip object-group INSIDE object-group HOT-Zone1
access-list NAT extended permit tcp object-group INSIDE any object-group TCP-Port-Permit
access-list NAT extended permit udp object-group INSIDE any object-group UDP-Port-Permit
Solved! Go to Solution.
06-11-2013 01:01 PM
Hi,
I would need to know the TCP/UDP ports and the networks under the "object-group" to give you the exact configuration.
First thing you need to notice is the fact that you need several NAT statements to configure the above. And depending on the amount of services in the "object-group service" you might beed many more NAT configurations since you cant use "object-group service" in the new NAT configurations.
But to give you an example it might look something like this
8.2 NAT FORMAT
nat (inside) 1 access-list NAT
global (outside) 1 8.233.146.17 netmask 255.255.255.255
access-list NAT extended permit ip object-group NAT-Permits any
8.3+ NAT FORMAT
object network NAT-IP
host 8.233.146.17
object-group network NAT-Permits
network-object
network-object
network-object
nat (inside,outside) after-auto source dynamic NAT-permits NAT-IP
8.2 NAT FORMAT
nat (inside) 1 access-list NAT
global (outside) 1 8.233.146.17 netmask 255.255.255.255
access-list NAT extended permit ip object-group INSIDE object-group HOT-Zone1
8.3+ NAT FORMAT
object network NAT-IP
host 8.233.146.17
object-group network INSIDE
network-object
network-object
network-object
object-group network HOT-Zone1
network-object
network-object
network-object
nat (inside,outside) source dynamic INSIDE NAT-IP destination static HOT-Zone1 HOT-Zone1
8.2 NAT FORMAT
nat (inside) 1 access-list NAT
global (outside) 1 8.233.146.17 netmask 255.255.255.255
access-list NAT extended permit tcp object-group INSIDE any object-group TCP-Port-Permit
access-list NAT extended permit udp object-group INSIDE any object-group UDP-Port-Permit
8.3+ NAT FORMAT
object network NAT-IP
host 8.233.146.17
object-group network INSIDE
network-object
network-object
network-object
object service SMTP
service tcp destination eq 25
object service DNS
service udp destination eq 53
nat (inside,outside) source dynamic INSIDE NAT-IP service SMTP SMTP
nat (inside,outside) source dynamic INSIDE NAT-IP service DNS DNS
The above NAT configurations are example ones. In general you should take into consideration the whole rest configuration when making this because there are changes that they might need minor alterations so they dont conflict with something else.
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
06-11-2013 01:01 PM
Hi,
I would need to know the TCP/UDP ports and the networks under the "object-group" to give you the exact configuration.
First thing you need to notice is the fact that you need several NAT statements to configure the above. And depending on the amount of services in the "object-group service" you might beed many more NAT configurations since you cant use "object-group service" in the new NAT configurations.
But to give you an example it might look something like this
8.2 NAT FORMAT
nat (inside) 1 access-list NAT
global (outside) 1 8.233.146.17 netmask 255.255.255.255
access-list NAT extended permit ip object-group NAT-Permits any
8.3+ NAT FORMAT
object network NAT-IP
host 8.233.146.17
object-group network NAT-Permits
network-object
network-object
network-object
nat (inside,outside) after-auto source dynamic NAT-permits NAT-IP
8.2 NAT FORMAT
nat (inside) 1 access-list NAT
global (outside) 1 8.233.146.17 netmask 255.255.255.255
access-list NAT extended permit ip object-group INSIDE object-group HOT-Zone1
8.3+ NAT FORMAT
object network NAT-IP
host 8.233.146.17
object-group network INSIDE
network-object
network-object
network-object
object-group network HOT-Zone1
network-object
network-object
network-object
nat (inside,outside) source dynamic INSIDE NAT-IP destination static HOT-Zone1 HOT-Zone1
8.2 NAT FORMAT
nat (inside) 1 access-list NAT
global (outside) 1 8.233.146.17 netmask 255.255.255.255
access-list NAT extended permit tcp object-group INSIDE any object-group TCP-Port-Permit
access-list NAT extended permit udp object-group INSIDE any object-group UDP-Port-Permit
8.3+ NAT FORMAT
object network NAT-IP
host 8.233.146.17
object-group network INSIDE
network-object
network-object
network-object
object service SMTP
service tcp destination eq 25
object service DNS
service udp destination eq 53
nat (inside,outside) source dynamic INSIDE NAT-IP service SMTP SMTP
nat (inside,outside) source dynamic INSIDE NAT-IP service DNS DNS
The above NAT configurations are example ones. In general you should take into consideration the whole rest configuration when making this because there are changes that they might need minor alterations so they dont conflict with something else.
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
06-11-2013 01:27 PM
You made my life easy although configuring object service for each service is going to ruin my life, since there are jus too many ports
i will alter my configuration according to your examples by populating object groups.
And will rever back on same thread if face any difficulty , Though its a big ASA i am going to migrate in steps, but as soon i encounter issue i will seek help here.
thanx alot.
06-11-2013 01:34 PM
Hi,
Yes the amount of NAT configuration needed when you specify separate TCP/UDP ports will be huge if you have several ports involved.
Let me say that I am still a bit hesitant in suggesting the above configurations as you always have to take into account the whole old NAT configuration so you can make sure that the ASA behaves exactly the same on the new software version.
I always start by looking through the old NAT configuration about to be migrated and start out removing any useless NAT configurations. In some environments there are several of these since the "nat-control" might have been active on the old firewall.
Then I separate the NAT configurations based on their type. I gather the basic Dynamic PAT and Dynamic NAT configurations and Static NAT and Static PAT configurations. For those you can easily configure the needed new NAT format configurations.
Next I usually go through all the Policy NAT/PAT type configurations and NAT0 configurations.
I guess you could always take a look at a document I made here on the CSC with some basic information about the new 8.3+ NAT format
https://supportforums.cisco.com/docs/DOC-31116
And naturally ask more here on the forums if you run into some problems with the NAT behaviour after migration.
- Jouni
06-14-2013 04:55 PM
Hello,
Any idea why Static nat not triggering?
i created static nat
object network obj-static-public-10.20.6.113
host 10.20.6.113
nat (inside,outside) static 38.107.33.33
but instead of static mapping happening.this rule is triggering.
nat (inside,outside) source dynamic INSIDE NAT-IP destination static HOT-Zone1 HOT-Zone1
Note: Destination i am trying to access is part of HOT-Zone1
But shouldnt be static NAT winner?
06-14-2013 06:06 PM
Ok i was able to understand its happening because Object base static NAT ( Aka Auto Nat) has lower preference than Manula Static NAT.
so i coinfigured this one.
object network obj-static-local-10.20.6.113
host 10.20.6.113
object network obj-static-public-38.107.33.33
host 38.107.33.33
nat (inside,outside) source static obj-static-local-10.20.6.113 obj-static-public-38.107.33.33
and it still didnt work .
Then i came to know i need to make this entry on sequence number 1, since it was still beneath Hot-Zone1 rule as checked by command sh nat interface inside detail.
and now looks like i am on track? i think so lolz. dont know what challenge going to come next.
Now static nat is always preferred, over dynamic atlast.
06-15-2013 03:17 AM
Hi,
This is the reason we should have a look at the whole old/original NAT configuration to determine how we should configure the new NAT.
In the older software you only had the set ways of configuring both Dynamic and Static type NAT configurations. Now you have a couple of different ways to configure them and even way to determine the priority in different way.
I personally configure Static NAT with the Network Object NAT.
If I have an configuration like yours, Dynamic Policy PAT for certain destination services then I need to know should this always apply (then it would be in Section 1 with Manual NAT / Twice NAT) or if a Static NAT should override it for certain host (then it would be located in Section 3 by using the "after-auto" in the Manual NAT / Twice NAT configuration)
I can only give you configurations for the old configurations you provide. As I have said, I dont know if these will be the ideal configurations for your setup since I cant see the whole original setup. While we could convert the rules in a way to keep the old logic of NAT rule ordering, I find that the I get a more clearner NAT configuration (atleast for my eye) by doing things differently.
I would imagine that any ordering problem that you run into can be easily solved by moving NAT configurations around.
the "packet-tracer" command is the greatest tool on the ASA to tell you if traffic is hitting the correct NAT rule. And incase you are migrating to a totally new ASA hardware while the original ASA 8.2 is running on some other box, then you can even compare the packet-tracer outputs on both devices and confirm that the NAT configuration is ok/matches.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide