01-17-2011 08:15 AM - edited 03-11-2019 12:36 PM
Hi to all,
i have a question,
i have this nat in 8.2
static (inside,DMZ2) 192.168.202.0 192.168.202.0 netmask 255.255.255.0
static (inside,DMZ2) 161.27.0.0 161.27.0.0 netmask 255.255.0.0
static (inside,DMZ2) 172.16.0.0 172.16.0.0 netmask 255.240.0.0
in 8.3 i must translate this to 8.3 nat or the ACL's that regulate the traffic from inside to DMZ is enought ?
Thanks a lot best regards.
Solved! Go to Solution.
01-17-2011 10:59 AM
Hi ,
From the documentation of 8.3 i understood something else : that NAT is not required anymore .
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60212
The nat-control command is deprecated. To maintain the requirement that all traffic from a higher security interface to a lower security interface be translated, a NAT rule will be inserted at the end of section 2 for each interface to disallow any remaining traffic. The nat-control command was used for NAT configurations defined with earlier versions of the adaptive security appliance. The best practice is to use access rules for access control instead of relying on the absence of a NAT rule to prevent traffic through the adaptive security appliance.
Since now , i have never tested 8.3.
Dan
01-17-2011 02:53 PM
Correct. Thans for verifying. In 8.3 there is no need to provide nat.
-KS
01-17-2011 08:22 AM
f.mottini wrote:
Hi to all,
i have a question,
i have this nat in 8.2
static (inside,DMZ2) 192.168.202.0 192.168.202.0 netmask 255.255.255.0
static (inside,DMZ2) 161.27.0.0 161.27.0.0 netmask 255.255.0.0
static (inside,DMZ2) 172.16.0.0 172.16.0.0 netmask 255.240.0.0in 8.3 i must translate this to 8.3 nat or the ACL's that regulate the traffic from inside to DMZ is enought ?
Thanks a lot best regards.
You will need to update your static NAT entries. Have a look at this doc which covers changes in 8.3 and gives examples for converting NAT statements -
https://supportforums.cisco.com/docs/DOC-12690
Jon
01-17-2011 08:33 AM
If i don't translate this entry what happen to the traffic that flow from a pc behind inside to a server behind dmz interface?
tha traffic flow anyway without nat? The traffic is blocked because thers is not the identity nat?
thanks a lot
PS: i'm translating by hand the 8.2 nat configuration
01-17-2011 10:54 AM
Hello,
In 8.3, NAT translation rules is a must between all interfaces. So, if you do not create a NAT rule, the traffic will be blocked.
static (inside,DMZ2) 192.168.202.0 192.168.202.0 netmask 255.255.255.0
object network INSIDE_NET_1
network 192.168.202.0 255.255.255.0
nat (inside,DMZ2) source static INSIDE_NET_1 INSIDE_NET_1
static (inside,DMZ2) 161.27.0.0 161.27.0.0 netmask 255.255.0.0
object network INSIDE_NET_2
network 161.27.0.0 255.255.0.0
nat (inside,DMZ2) source static INSIDE_NET_2 INSIDE_NET_2
static (inside,DMZ2) 172.16.0.0 172.16.0.0 netmask 255.240.0.0
object network INSIDE_NET_3
network 172.16.0.0 255.240.0.0
nat (inside,DMZ2) source static INSIDE_NET_3 INSIDE_NET_3
Hope this helps.
Regards,
NT
01-17-2011 10:59 AM
Hi ,
From the documentation of 8.3 i understood something else : that NAT is not required anymore .
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60212
The nat-control command is deprecated. To maintain the requirement that all traffic from a higher security interface to a lower security interface be translated, a NAT rule will be inserted at the end of section 2 for each interface to disallow any remaining traffic. The nat-control command was used for NAT configurations defined with earlier versions of the adaptive security appliance. The best practice is to use access rules for access control instead of relying on the absence of a NAT rule to prevent traffic through the adaptive security appliance.
Since now , i have never tested 8.3.
Dan
01-17-2011 12:56 PM
I have tested 8.3 on ASA 5520
PC ---- in 100 ----- ASA ----- out 0 ------ PC
2 acl - permit ip any any
both PC having default GW the ASA
ciscoasa# sh run access-g
access-group in in interface in
access-group out in interface out
ciscoasa# sh access-l in
access-list in; 1 elements; name hash: 0xbd4c1a27
access-list in line 1 extended permit ip any any (hitcnt=10) 0xc13c9148
ciscoasa# sh access-l out
access-list out; 1 elements; name hash: 0x5589cfea
access-list out line 1 extended permit ip any any (hitcnt=2) 0xb4296acc
ciscoasa# sh run nat
ciscoasa#
ciscoasa#
ciscoasa# sh run int g0/3
!
interface GigabitEthernet0/3
nameif in
security-level 100
ip address 1.1.1.2 255.255.255.252
ciscoasa#
ciscoasa#
ciscoasa# sh run int g0/2
!
interface GigabitEthernet0/2
nameif out
security-level 0
ip address 2.2.2.1 255.255.255.0
Ping from out PC to in PC :
ciscoasa# sh conn det
2 in use, 2 most used
ICMP out:2.2.2.2/1 in:1.1.1.1/0,
idle 0s, uptime 1s, timeout 2s, bytes 64
ICMP out:2.2.2.2/1 in:1.1.1.1/0,
idle 0s, uptime 1s, timeout 2s, bytes 64
Successful ! So there is no need for NAT .
Dan
01-17-2011 02:53 PM
Correct. Thans for verifying. In 8.3 there is no need to provide nat.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide