Create NAT statement ASA 9.1

landgren · ‎08-26-2015

I need some help in creating a NAT statement as i am migrating a pre-8.3 migration to 9.1 and almost done all except one type of NAT i can't understand exactly.

v 8.2

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip 10.38.36.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.38.36.0 255.255.255.0 10.38.37.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.38.36.0 255.255.255.0 10.38.46.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.38.36.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.38.0.0 255.255.0.0 10.38.39.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 194.165.102.1 1
route inside DHCP-pool1 255.255.254.0 10.38.36.1 1
route inside DHCP-pool2 255.255.254.0 10.38.36.1 1
route inside DHCP-pool3 255.255.254.0 10.38.36.1 1
route inside 10.10.37.0 255.255.255.0 10.38.36.1 1
route inside 10.38.0.0 255.255.0.0 10.38.36.1 1

How shall it look like in v 9.1, as the access-list have many lines i thought there is someway i can trim it under object statement?

Also the NAT statement, i am confused in what it should look like, either NAT (inside, any) or NAT (inside,outside)? i have added the route statements and would appreciate some help on this.

landgren · ‎08-27-2015

Another one that is pretty hard i can't get grip on is:

static (zones,outside) tcp interface 2507 access-list taxing

access-list taxing extended permit tcp host cannonball eq 2507 object-group grp1

object-group network grp1
network-object host srv1
network-object host srv2
network-object host srv3
network-object host srv4
network-object net1 255.255.255.240
network-object host srv7
network-object host srv8

Vibhor Amrodia · ‎08-30-2015

Hi,

object network obj-10.38.36.0

subnet 10.38.36.0 255.255.255.0

object network obj-10.38.0.0

subnet 10.38.0.0 255.255.0.0

object network obj-192.168.20.0

subnet 192.168.20.0 255.255.255.0

object network obj-10.38.37.0

subnet 10.38.37.0 255.255.255.0

object network obj-10.38.46.0

subnet 10.38.46.0 255.255.255.0

object network obj-192.168.12.0

subnet 192.168.12.0 255.255.255.0

object network obj-10.38.39.0

subnet 10.38.39.0 255.255.255.0

For the 1st NAT statement , you have to use the Manual NAT statement:-

Source-Objects:-

object-group network SRC

network-object object obj-10.38.36.0

network-object object obj-10.38.0.0

object-group network DEST

network-object object obj-192.168.20.0

network-object object obj-192.168.12.0

network-object object obj-10.38.37.0

network-object object obj-10.38.46.0

network-object object obj-10.38.37.0

network-object object obj-10.38.39.0

nat (inside,outside) source dynamic SRC interface destination static DEST DEST no-proxy-arp

I think you would be able to configure the other NAT and it would be in a similar way as above.

Let me know if you have any issues.

Thanks and Regards,

Vibhor Amrodia