Re: Help with NAT > PIX 6.3 to ASA 8.3(2)

Jason Aarons · ‎10-06-2010

In my old PIX I had this;

PIX515e# show nat
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 0 access-list DMZ_outbound_nat0_acl

We have the don't nat 0 with access-list, how do I re-impement this with ASA 8.3(2)? I didn't see how to tie a ACL to a nat -jason

Namit Agarwal · ‎10-06-2010

Hi ,

I am putting an example here

In Pre-8.3

access-list EXEMPT extended permit ip 10.1.3.0 255.255.255.0 20.2.4.0 255.255.255.0

nat (inside) 0 access-list EXEMPT

In 8.3

 object network obj-10.1.3.0
   subnet 10.1.3.0 255.255.255.0
 object network obj-20.2.4.0
   subnet 20.2.4.0 255.255.255.0

nat (inside,any) source static obj-10.1.3.0 obj-10.1.3.0 
                      destination static obj-20.2.4.0 obj-20.2.4.0

For dmz nat exempt you can change the inside to dmz and use the appropriate networks

nat (inside) 1 0.0.0.0 0.0.0.0 0 0 will change to

object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface


I hope that helps. Here is a doc that explains it further 
https://supportforums.cisco.com/docs/DOC-9129

Thanks,

Namit

Nagaraja Thanthry · ‎10-06-2010

Hello,

You are correct. 8.3 does not have option for NAT with ACL. You can try the following:

Assume that your old NAT rule was as follows:

nat (inside) 0 access-list inside_outbound_nat0_acl

access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Then, in 8.3, the corresponding configuration would be:

object network obj_192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network obj_10.1.1.0

subnet 10.1.1.0 255.255.255.0

nat (inside,any) source static obj_10.1.1.0 obj_10.1.1.0 destination static obj_192.168.1.0 obj_192.168.1.0

Hope this helps.

Regards,

NT