09-21-2010 07:30 AM - edited 03-11-2019 11:43 AM
Ha con you help me.....
OLD 8.2
access-list inside_access_in extended permit tcp 10.27.0.0 255.255.0.0 host 192.168.104.157 object-group DM_INLINE_TCP_45
static (inside,DMZ2) 10.27.0.0 10.27.0.0 netmask 255.255.0.0
host 192.168.104.157 is behind DMZ2 interface
this is no nat config for the net 10.27.0.0 that from inside interface goes to dmz host 192.168.104.157.
NEW 8.3
Here what i see ontranslation....
access-list inside_access_in extended permit tcp 10.27.0.0 255.255.0.0 object obj-192.168.104.157 object-group DM_INLINE_TCP_45
access-group inside_access_in in interface inside
object network obj-10.27.0.0
subnet 10.27.0.0 255.255.0.0
object network obj-10.27.0.0
subnet 10.27.0.0 255.255.0.0
nat (inside,DMZ2) static 10.27.0.0
object network obj-192.168.104.157
host 192.168.104.157
nat (DMZ2,outside) static 210.19.8.157
object network obj-192.168.104.157
host 192.168.104.157
I need to know:
1) is correct the translation of config from 8.2 to 8.3???
2) In this object-group DM_INLINE_NETWORK_57 group the network object is refered to he first or the second object network obj-10.27.0.0?
i must delate one of the two object network obj-10.27.0.0??? (in 8.3 config)
object-group network DM_INLINE_NETWORK_57
network-object 10.32.0.0 255.255.0.0
network-object 10.49.0.0 255.255.0.0
network-object 10.47.0.0 255.255.0.0
network-object 10.55.0.0 255.255.0.0
network-object 10.27.0.0 255.255.0.0
3) also for the object obj-192.168.104.157 in the ACL the destination obj-192.168.104.157 is referred to the first or second object obj-192.168.104.157 ??? i need to delete one of this two network obj-192.168.104.157 ????
Thanks a lot vary much.....for any question write to me..thanks a lot best regards
09-21-2010 09:45 AM
the translation looks to be fine
are you facing any issues with the translations
the object groups are created during migration and they need to be present
also i am not sure which acl are you talking about
in any case i think you have trouble understanding the new nat rules, here is a doc which will help you by giving a comparitive anaylses
09-22-2010 01:31 AM
Thanks,
i want to know the ACL in 8.3 config which obj-192.168.104.157 use in the statement, the first or the second???
access-list inside_access_in extended permit tcp 10.27.0.0 255.255.0.0 object obj-192.168.104.157 object-group DM_INLINE_TCP_45
access-group inside_access_in in interface inside
object network obj-192.168.104.157
host 192.168.104.157
nat (DMZ2,outside) static 210.19.8.157
object network obj-192.168.104.157
host 192.168.104.157
thanks a lot
09-22-2010 04:34 AM
You probably have the following static NAT statement in your 8.2 code :
static (DMZ2,outside) 192.168.104.157 210.19.8.157 netmask 255.255.255.255
This would get migrated to :
object network obj-192.168.104.157
host 192.168.104.157
nat (DMZ2,outside) static 210.19.8.157
Th inside_access_in access-list is used only for restricting inbound traffic on the inside interface.The NAT in 8.3 does not make use of access-lists.
The two instances each that you see of object network obj-10.27.0.0 and obj-192.168.104.157 are the same - one denotes the network object and the other the auto-nat statement. You need not delete any of the instances.
I hope this answers your query.
-Divya
09-22-2010 05:33 AM
yes thanks a lot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide