cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3307
Views
0
Helpful
4
Replies

HELP NO NAT INSIDE--> DMZ ASA FROM 8.2 to 8.3

f.mottini
Level 1
Level 1

Ha con you help me.....

OLD 8.2

access-list inside_access_in extended permit tcp 10.27.0.0 255.255.0.0 host 192.168.104.157 object-group DM_INLINE_TCP_45

static (inside,DMZ2) 10.27.0.0 10.27.0.0 netmask 255.255.0.0

host 192.168.104.157 is behind DMZ2 interface

this is no nat config for the net 10.27.0.0 that from inside interface goes to dmz host 192.168.104.157.


NEW 8.3

Here what i see ontranslation....


access-list inside_access_in extended permit tcp 10.27.0.0 255.255.0.0 object obj-192.168.104.157 object-group DM_INLINE_TCP_45

access-group inside_access_in in interface inside


object network obj-10.27.0.0
subnet 10.27.0.0 255.255.0.0

object network obj-10.27.0.0
subnet 10.27.0.0 255.255.0.0
nat (inside,DMZ2) static 10.27.0.0

object network obj-192.168.104.157

host 192.168.104.157

nat (DMZ2,outside) static 210.19.8.157

object network obj-192.168.104.157

host 192.168.104.157

I need to know:

1) is correct the translation of config from 8.2 to 8.3???

2) In this object-group DM_INLINE_NETWORK_57 group the network object is refered to he first or the second object network obj-10.27.0.0?
   i must delate one of the two object network obj-10.27.0.0??? (in 8.3 config)

  object-group network DM_INLINE_NETWORK_57
    network-object 10.32.0.0 255.255.0.0
    network-object 10.49.0.0 255.255.0.0
    network-object 10.47.0.0 255.255.0.0
    network-object 10.55.0.0 255.255.0.0
    network-object 10.27.0.0 255.255.0.0

3) also for the object obj-192.168.104.157 in the ACL the destination obj-192.168.104.157 is referred to the first or second object  obj-192.168.104.157 ??? i need to delete one of this two network obj-192.168.104.157 ????

Thanks a lot vary much.....for any question write to me..thanks a lot best regards

4 Replies 4

Jitendriya Athavale
Cisco Employee
Cisco Employee

the translation looks to be fine

are you facing any issues with the translations

the object groups are created during migration and they need to be present

also i am not sure which acl are you talking about

in any case i think you have trouble understanding the new nat rules, here is a doc which will help you by giving a comparitive anaylses

https://supportforums.cisco.com/docs/DOC-9129

Thanks,

i want to know the  ACL in 8.3 config which obj-192.168.104.157 use in the statement, the first or the second???

access-list inside_access_in extended permit tcp 10.27.0.0 255.255.0.0 object obj-192.168.104.157 object-group DM_INLINE_TCP_45

access-group inside_access_in in interface inside

object network obj-192.168.104.157

host 192.168.104.157

nat (DMZ2,outside) static 210.19.8.157

object network obj-192.168.104.157

host 192.168.104.157

thanks a lot

Divya Nair
Cisco Employee
Cisco Employee

You probably have the following static NAT statement in your 8.2 code :

static (DMZ2,outside) 192.168.104.157 210.19.8.157 netmask 255.255.255.255

This would get migrated to :

object network obj-192.168.104.157
host 192.168.104.157
nat (DMZ2,outside) static 210.19.8.157

Th inside_access_in access-list is used only for restricting inbound traffic on the inside interface.The NAT in 8.3 does not make use of access-lists.

The two instances each that you see of object network obj-10.27.0.0 and obj-192.168.104.157 are the same - one denotes the network object and the other the auto-nat statement. You need not delete any of the instances.

I hope this answers your query.

-Divya

yes thanks a lot.

Review Cisco Networking for a $25 gift card