07-20-2009 08:34 AM - edited 03-11-2019 08:57 AM
So i'm finally migrating my PIX 520 to an ASA. My platform was too old to qualify for the upgrade tool so i'm training myself on the gui as i manually migrate my config over.
We used to do clear translations on the pix between inside and the dmz. is there an equivalent on the ASA? Is that the translation exemption rule?
JM
Solved! Go to Solution.
07-21-2009 06:45 AM
It's still accomplished with the static statement. You can do it in the GUI, but if you are comfortable with using the CLI, I would do it that way.
07-20-2009 12:34 PM
Clear xlate will clear the all the translations. If you want to be more specific, you can do a clear xlate interface
07-20-2009 01:16 PM
I'm not talking about clearing the translations, but a "clear translation"...for example:
static (inside,DMZ) 10.1.25.0 10.1.25.0 netmask 255.255.255.0 0 0
The goal of this is to not have to do real NAT translations between the DMZ and the inside.
Hope that makes more sense.
07-20-2009 05:11 PM
Gotcha. The clear xlate in your title is what threw me off.
At any rate, you still have to do that on the ASA.
07-21-2009 02:59 AM
That's NOT correct. The answer is, like everything else in life, "it depends".
Let say you just use the ASA just like a router. In other words, there is no NAT between inside and outside and inside and dmz, your first option is this:
no nat-control (which is enabled by default on the ASA or Pix 7.x anyway
However, if you have something like this:
nat (inside) 1 0 0
global (outside) 1 interface
When you do this, you will immediately revert the ASA code, in term of NAT, back to the 6.3.x code. Therefore, if you want to go from inside to dmz, then what deyster94 stated is correct.
Confusing, isn't it?
07-21-2009 06:43 AM
Ok, well i still want my natting from Inside->Outisde and DMZ->Outside.
I'm looking for clear translations between the Inside->DMZ and i still want the firewalling in place Inside=100 DMZ=50.
Is this still accomplished with the static statements or is there a new way? the whole reason i ask is i'm using the GUI and don't see the way to do it. Unless i just feed it in Configuration->Nat->Add Address Translation Rule and pick "same address"?
07-21-2009 06:45 AM
It's still accomplished with the static statement. You can do it in the GUI, but if you are comfortable with using the CLI, I would do it that way.
07-21-2009 07:07 AM
yeah, i'm a command line guy at heart, but last time i tried an import from a newer pix into an ASA there were lines in CLI that i could never find displayed in ADSM. Now either I just could never find where they were displayed, or not all the commands were supported in ADSM yet.
either way, it made me a little hesitant in switching back and forth between CLI and the GUI. Since i've got to let others touch this firewall, we're going GUI :)
Thanks for the info!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide