Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1219
Views
0
Helpful
3
Replies

Convert ACL, NAT from ASA 8.2 to 8.4

Britto Vimalraj Anthonysamy
Level 1
Level 1

‎11-28-2013 01:37 AM - edited ‎03-12-2019 06:05 PM

i got a new ASA with 8.4 version. am not able to convert the below mentioned config from 8.2 version. Can any one help on this

global (outside) 1 interface

nat (inside) 0 access-list Permit

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3397 192.168.0.22 3397 netmask 255.255.255.255

static (inside,outside) tcp interface 900 192.168.0.22 900 netmask 255.255.255.255

static (inside,outside) tcp interface 1024 192.168.0.22 1024 netmask 255.255.255.255

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎11-28-2013 04:00 AM

Hi,

To determine the correct corresponding NAT0 configuration we would need to see the contents of the "access-list" named "Permit"

The other configurations are as follows

Static PAT (Port Forward)

object network TCP3397

host 192.168.0.22

nat (inside,outside) static interface service tcp 3397 3397

object network TCP900

host 192.168.0.22

nat (inside,outside) static interface service tcp 900 900

object network TCP1024

host 192.168.0.22

nat (inside,outside) static interface service tcp 1024 1024

Dynamic PAT

nat (inside,outside) after-auto source dynamic any interface

As I said before, for NAT0 we need to see the ACL configurations

Since the NAT is different you would have to allow the above traffic with the following ACL for example

access-list OUTSIDE-IN remark Allow Static PAT services

access-list OUTSIDE-IN permit tcp any object TCP3397 eq 3397

access-list OUTSIDE-IN permit tcp any object TCP900 eq 900

access-list OUTSIDE-IN permit tcp any object TCP1024eq 1024

access-group OUTSIDE-IN in interface outside

Naturally if you have an existing ACL attached to "outside" then add the rules to that ACL if needed.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

0 Helpful

Britto Vimalraj Anthonysamy
Level 1
Level 1
In response to Jouni Forss

‎11-29-2013 12:30 AM

Thanks for your reply. Can you please explain the NAT0,please

access-list Permit extended permit ip any 192.168.1.0 255.255.255.0

access-list Permit extended permit ip any 192.168.10.0 255.255.255.0

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Britto Vimalraj Anthonysamy

‎11-29-2013 12:49 AM

Hi,

According to that you have remote networks 192.168.1.0/24 and 192.168.10.0/24. They might be VPN Client Pool or L2L VPN remote network which I dont know.

You have specified "any" as the source which I would avoid in the network configurations

If your LAN network is only 192.168.0.0/24 then you could configure this

object network LAN

subnet 192.168.0.0 255.255.255.0

object-group network VPN-NETWORKS

network-object 192.168.1.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static VPN-NETWORKS VPN-NETWORKS

If you have other networks then we will need to change the above configuration a bit

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card