Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
0
Helpful
2
Replies

Migrating from FWSM to ASA

Garrison Botts
Level 4
Level 4

‎01-27-2014 02:14 PM - edited ‎03-11-2019 08:36 PM

I'm currently using an FWSM and we are migrating to the ASA with 9.1 code.


The nat is WAY different and I have some questions:



1)  To do a PAT to the outside, is it just


object network TEST123

subnet x.x.x.0 255.255.255.0

nat (inside,outside) dynamic <external ip address/32>


2) To do NAT between two internal addresses:


object network TEST123

subnet x.x.x.0 255.255.255.0


object network TEST456

subnet y.y.y.0 255.255.255.0



object-group network INTERNAL

network object obj TEST123

network object obj  TEST456

nat (inside,dmz) source static INTERNAL INTERNAL destination z.z.z.0 net-to-net no-proxy-arp



3) To do Static NAT to outside


object network WEBSERVER1

host z.z.z.z

nat (dmz,outside) static <External IP of host>



Then to allow access to webserver


access-list out_in extended permit tcp any host z.z.z.z eq www




Any help would be appreciated..!!!  Thanks in advance


I wish Cisco would've NEVER changed this part of the IOS.. The new way is crappy and confusing....

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎01-27-2014 02:57 PM

I wish Cisco would've NEVER changed this part of the IOS.. The new way is crappy and confusing....

I know exactly how you feel

Coming from an FWSM/pre 8.3 pix/ASA background i am still playing catch up. What i would say is that the new way actually allows far more flexibility in terms of what you can do with NAT but it does take some getting used to.

I have added a link to a really good document for 8.3+ NAT written by one of the firewall experts. It is worth a read and it should help with your questions. The pictures which can be downloaded separately give examples of all the common scenarios you would need but i would say it is worth reading the entire document -

https://supportforums.cisco.com/docs/DOC-31116

Jon

0 Helpful

Garrison Botts
Level 4
Level 4
In response to Jon Marshall

‎01-27-2014 03:11 PM

Thanks.... This helps....  

Looks like I'm on the right track...

The issue was figuring out the Subnet definition in the nat (was it static or dynamic)... Looks like it's static between the internal interfaces....

The doc doesn't mention the "no-proxy-arp" command arg even though the software prompts you and claims routing errors if you don't use it...

Can't wait until Cisco goes back to the old way - 5 years from now... LOL!!!

Thanks again....

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card