ERROR: This syntax of nat command has been deprecated.(NAT)

Navaz Wattoo · ‎10-17-2014

Hy

i face a [roblem regarding the NAT configuration when i gave command

nat-control

its gives error

ciscoasa(config)# nat-control
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.

please resolve this issue and i also send the sh version below

ciscoasa(config)# sh version

Cisco Adaptive Security Appliance Software Version 8.4(2)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

ciscoasa up 17 mins 53 secs

Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB

0: Ext: GigabitEthernet0 : address is 00ab.cd92.5200, irq 0
1: Ext: GigabitEthernet1 : address is 00ab.cd92.5201, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab80.9802, irq 0
3: Ext: GigabitEthernet3 : address is 0000.ab1e.5c03, irq 0
4: Ext: GigabitEthernet4 : address is 0000.ab78.3a04, irq 0
5: Ext: GigabitEthernet5 : address is 0000.ab58.eb05, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Disabled perpetual
VPN-3DES-AES : Disabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 5000 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: 123456789AB
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x0
Configuration last modified by enable_15 at 07:08:48.239 UTC Fri Oct 17 2014

Thanks and Regards

navaz

Navaz

Jouni Forss · ‎10-17-2014

Hi,

This command was only supported in software levels 8.2 and below. Since software level 8.3 the ASAs have had a new NAT configuration format and in that instance also this command has been removed.

So in short you can not use this command anymore because you are already running a newer software level.

- Jouni

Navaz Wattoo · ‎10-17-2014

can you send me the new configuration of firewall please?

Navaz

Jouni Forss · ‎10-17-2014

Hi,

I am not sure what you mean? If you mean a replacing command for this then there is none. The whole concept of NAT Control has been removed.

If you mean information about the new configuration format then you should have a look at the ASA Configurations Guide and Command Reference that can be found online.

You can read some about the new NAT configuration format from a document I wrote in 2013 that can be found here

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

You can also check this document which provides examples comparing the same NAT configuration in the old format and in the new format

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

- Jouni

Navaz Wattoo · ‎10-17-2014

no i dont want to replace with the old nat i just have the new firewall and want to trffice from outside to dmz and dmz to inside

Navaz

Jouni Forss · ‎10-17-2014

Hi,

Your original question was with regards to the ERROR message that ASA gave. This was due to using an old command that is not supported in your ASAs software.

For us to be able to help you at all with any possible configurations or configurations task we would need specific information what you are attempting to do. The above explanation does not tell me anything.

- Jouni

Navaz Wattoo · ‎10-17-2014

Thanks and i attached a diagram related to this.

i want to from outside to dmz and also allow lan user to use internet throught the proxy server that exist in DMZ and also use microsoft outlook.

Navaz

Vibhor Amrodia · ‎10-17-2014

Hi,

Are you using the DMZ proxy server on all the clients manually so that they send the traffic there ?

If yes , i think you only need a Dynamic NAT on the ASA device from DMZ to the Outside.

For communication between DMZ and Outside , you would need a Static NAT on the ASA device.

For communication between DMZ and inside , you shouldn't need any NAT statements.

You can refer to this document for more details:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html

Let me know if you have any queries.

Thanks and Regards,

Vibhor Amrodia

Navaz Wattoo · ‎10-19-2014

Thanks a lot and i attached a diagram here

Requirement:

need to pass through traffic from outside to inside and inside to outside.

Navaz