You made my life easy although configuring object service for each service is going to ruin my life, since there are jus too many ports

i will alter my configuration according to your examples by populating object groups.

And will rever back on same thread if face any difficulty , Though its a big ASA i am going to migrate in steps, but as soon i encounter issue i will seek help here.

thanx alot.

Hi,

Yes the amount of NAT configuration needed when you specify separate TCP/UDP ports will be huge if you have several ports involved.

Let me say that I am still a bit hesitant in suggesting the above configurations as you always have to take into account the whole old NAT configuration so you can make sure that the ASA behaves exactly the same on the new software version.

I always start by looking through the old NAT configuration about to be migrated and start out removing any useless NAT configurations. In some environments there are several of these since the "nat-control" might have been active on the old firewall.

Then I separate the NAT configurations based on their type. I gather the basic Dynamic PAT and Dynamic NAT configurations and Static NAT and Static PAT configurations. For those you can easily configure the needed new NAT format configurations.

Next I usually go through all the Policy NAT/PAT type configurations and NAT0 configurations.

I guess you could always take a look at a document I made here on the CSC with some basic information about the new 8.3+ NAT format

https://supportforums.cisco.com/docs/DOC-31116

And naturally ask more here on the forums if you run into some problems with the NAT behaviour after migration.

- Jouni

Hello,

Any idea why Static nat not triggering?

i created static nat

object network obj-static-public-10.20.6.113

host 10.20.6.113

nat (inside,outside) static 38.107.33.33

but instead of static mapping happening.this rule is triggering.

nat (inside,outside) source dynamic INSIDE NAT-IP destination static HOT-Zone1 HOT-Zone1

Note: Destination i am trying to access is part of HOT-Zone1

But shouldnt be static NAT winner?

Ok i was able to understand its happening because Object base static NAT ( Aka Auto Nat) has lower preference than Manula Static NAT.

so i coinfigured this one.

object network obj-static-local-10.20.6.113

host 10.20.6.113

object network obj-static-public-38.107.33.33

host 38.107.33.33

nat (inside,outside) source static obj-static-local-10.20.6.113 obj-static-public-38.107.33.33

and it still didnt work .

Then i came to know i need to make this entry on sequence number 1, since it was still beneath Hot-Zone1 rule as checked by command sh nat interface inside detail.

and now looks like i am on track? i think so lolz. dont know what challenge going to come next.

Now static nat is always preferred, over dynamic atlast.

Hi,

This is the reason we should have a look at the whole old/original NAT configuration to determine how we should configure the new NAT.

In the older software you only had the set ways of configuring both Dynamic and Static type NAT configurations. Now you have a couple of different ways to configure them and even way to determine the priority in different way.

I personally configure Static NAT with the Network Object NAT.

If I have an configuration like yours, Dynamic Policy PAT for certain destination services then I need to know should this always apply (then it would be in Section 1 with Manual NAT / Twice NAT) or if a Static NAT should override it for certain host (then it would be located in Section 3 by using the "after-auto" in the Manual NAT / Twice NAT configuration)

I can only give you configurations for the old configurations you provide. As I have said, I dont know if these will be the ideal configurations for your setup since I cant see the whole original setup. While we could convert the rules in a way to keep the old logic of NAT rule ordering, I find that the I get a more clearner NAT configuration (atleast for my eye) by doing things differently.

I would imagine that any ordering problem that you run into can be easily solved by moving NAT configurations around.

the "packet-tracer" command is the greatest tool on the ASA to tell you if traffic is hitting the correct NAT rule. And incase you are migrating to a totally new ASA hardware while the original ASA 8.2 is running on some other box, then you can even compare the packet-tracer outputs on both devices and confirm that the NAT configuration is ok/matches.

- Jouni