cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
852
Views
5
Helpful
5
Replies

MIGRATING FROM PIX TO ASA 9.2 m

fogemarttt
Level 1
Level 1

Hello All, 

I am migrating a PIX Firewall configuration to ASA 5500X  configuration. I am facing NAT ISSUES and I want to understand some lines. 

PIX configuration 

global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list 80 // exempts address in this group from NAT
nat (inside) 1 158.29.152.160 255.255.255.240 0 0
nat (inside) 1 158.29.152.128 255.255.255.224 0 0
nat (inside) 1 158.29.152.192 255.255.255.224 0 0

nat (inside) 1 10.237.106.0 255.255.255.128 0 0
nat (inside) 1 158.29.140.0 255.255.255.128 0 0
nat (inside) 1 158.29.140.128 255.255.255.128 0 0
nat (inside) 1 158.29.152.0 255.255.255.128 0 0
nat (inside) 1 10.237.102.0 255.255.255.0 0 0
nat (inside) 1 158.29.107.0 255.255.255.0 0 0

nat (dmz) 0 access-list dmz_nat0_outbound //Exempt this ACL from translation

nat (dmz) 1 192.168.237.0 255.255.255.0 0 0

In my understanding, I will apply Nat in the inside interface like nat (inside, outside) dynamic ....... 

I don't know how to translate the global (dmz) command 1 interface and the nat (dmz) 0 and nat (dmz) 1 command. 

is it nat(dmz,outside) or nat(inside,dmz)??? 

Any helps please. 

1 Accepted Solution

Accepted Solutions

With object NAT only one subnet per object. So you're likely to have to do something like the below and repeat many times if you don't want to do subnet 0.0.0.0 0.0.0.0

object network obj-158.29.152.160
   subnet 158.29.152.160 255.255.255.240
   nat (inside,outside) dynamic interface

I would use an object-group

OBJECT-GROUP NETWORK INSIDE-NET
network-object 158.29.152.160 255.255.255.240
network-object 158.29.152.128 255.255.255.224
network-object 158.29.152.192 255.255.255.224
network-object 10.237.106.0 255.255.255.128
network-object 158.29.140.0 255.255.255.128
network-object 158.29.140.128 255.255.255.128
network-object 158.29.152.0 255.255.255.128
network-object 10.237.102.0 255.255.255.0
network-object 158.29.107.0 255.255.255.0

nat (inside,outside) after-source source dynamic INSIDE-NET interface

nat (inside,dmz) after-source source dynamic INSIDE-NET interface

Test using packet-tracer

i.e.  packet-tracer input inside tcp 10.237.106.2 1024 x.x.x.x 80

With NAT0, one subnet per object

object network suba
subnet 158.29.107.0 255.255.255.0

object network suba1
subnet 158.29.108.0 255.255.255.0

object Network SubB
host 10.237.102.22

object Network SubB1
host 10.237.102.24

object network WanA
subnet 158.29.106.0 255.255.255.0

object network Srv1
host 172.29.180.48

nat (inside,outside) source static  Suba Suba destination static WanA WanA
nat (inside,outside) source static  Suba1 Suba1 destination static WanA WanA

nat (inside,outside) source static  SubB SubB destination static Srv1 Srv1
nat (inside,outside) source static  SubB1 SubB1 destination static Srv1 Srv1


Lastly

object network dmzA

subnet 192.168.237.0 255.255.255.0

object network DmzSA

subnet 192.168.180.0 255.255.255.0

object network DmzSA1
subnet 192.168.190.0 255.255.255.0

nat (dmz,outside) source static  dmzA dmzA destination static dmzSA dmzSA
nat (dmz,outside) source static  dmzA dmzA destination static dmzSA1 dmzSA1


Hopefully no typo's

Joel

View solution in original post

5 Replies 5

Joel
Level 1
Level 1

nat (inside,outside) for instance means the location of host you want to NAT too is located i.e. inside. Static NAT example to nat from public interface to 10.10.10.10:80

object network OBJ-STATIC-XYZ
host 10.10.10.10
 nat (inside,outside) static interface service tcp 80 80
 
Outbound PAT/NAT

object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface

Also for DMZ
object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,dmz) dynamic interface


If you wish to restrict the subnet to one of your ranges do the following:

object network obj_***
   subnet 158.29.152.160 255.255.255.240
   nat (inside,dmz) dynamic interface


For NAT excemption (NAT 0) look at identity NAT

object network LAN

subnet x.x.x.x x.x.x.x.

object network remote

subnet x.x.x.x x.x.x.x

nat (inside,outside) source static LAN LAN destination static remote remote

Useful link
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Hope this helps.

Joel

Thanks Joel,

I Know these steps. I am confuse. If you take a look at this configuration, it is a configuration of PIX firewall, I want to translate these configuration to my ASA. It's deprecated. But I want to understand the line in BOLD.  

I have global outside. 

I have Global dmz. What does that mean ? 

I can input my translation to ASA firewall if you want. 

Regards, 

For PIX and ASA 8.2 and below (been a while)


global (outside) 1 interface defines the address to NAT to from anything with the pool number 1.
global (DMZ) 1 interface 




Anything coming into the inside interface matching the NAT statement and going out the "outside" or "DMZ" interface will be NAT'd to interface address

Example
global (outside) 1 interface


global (dmz) 1 interface
nat (inside) 1 158.29.152.160 255.255.255.240 0 0

If your outside interface address is 1.1.1.1 and DMZ 2.2.2.2 anything from the inside such as 158.29.152.161 will match the NAT statement if going to OUTSIDE or DMZ and will NAT to either 1.1.1.1 or 2.2.2.2 accordingly.

Please send your translations.

Joel
 



Thanks you Joel for your answer. 

Let me give you my translation step by step. 

global (outside) 1 interface 
global (dmz) 1 interface
nat (inside) 0 access-list 80 // exempts address in this group from NAT
nat (inside) 1 158.29.152.160 255.255.255.240 0 0
nat (inside) 1 158.29.152.128 255.255.255.224 0 0
nat (inside) 1 158.29.152.192 255.255.255.224 0 0

nat (inside) 1 10.237.106.0 255.255.255.128 0 0
nat (inside) 1 158.29.140.0 255.255.255.128 0 0
nat (inside) 1 158.29.140.128 255.255.255.128 0 0
nat (inside) 1 158.29.152.0 255.255.255.128 0 0
nat (inside) 1 10.237.102.0 255.255.255.0 0 0
nat (inside) 1 158.29.107.0 255.255.255.0 0 0

nat (dmz) 0 access-list dmz_nat0_outbound //Exempt this ACL from translation

nat (dmz) 1 192.168.237.0 255.255.255.0 0 0

these first lines correspond in 8.3 to these lines except the line in red because it is NAT O. 

object network inside-net
subnet 158.29.152.160 255.255.255.240
subnet 158.29.152.128 255.255.255.224
subnet 158.29.152.192 255.255.255.224
subnet 10.237.106.0 255.255.255.128
subnet 158.29.140.0 255.255.255.128
subnet 158.29.140.128 255.255.255.128
subnet 158.29.152.0 255.255.255.128
subnet 10.237.102.0 255.255.255.0
subnet 158.29.107.0 255.255.255.0
nat (inside,outside) dynamic interface

nat (inside,dmz) dynamic interface

Translation of NAT O. That  means nat (inside) 0 access-list 80

that are rules for ACL 80.

access-list 80 extended permit ip 158.29.107.0 255.255.255.0 158.29.106.0 255.255.255.0
access-list 80 extended permit ip 158.29.108.0 255.255.255.0 158.29.106.0 255.255.255.0
access-list 80 extended permit ip host 10.237.102.22 host 172.29.180.48
access-list 80 extended permit ip host 10.237.102.24 host 172.29.180.48
CREATION OF NAT O in ASA 8.3 or LATER 

object network SubA
subnet 158.29.107.0 255.255.255.0
subnet 158.29.108.0 255.255.255.0

object Network SubB

host 10.237.102.22

host 10.237.102.24

object network WanA
subnet 158.29.106.0 255.255.255.0

object network Srv1
host 172.29.180.48


nat (inside,outside) source static  SubA SubA destination static WanA WanA

nat (inside,outside) source static  SubB SubB destination static Srv1 Srv1

TRANSLATING NAT DMZ 0 acl Dmz_nat0

nat (dmz) 0 access-list dmz_nat0_outbound //Exempt this ACL from translation

RULE IN 8.3 OR LATER 

acl dmz_nat0 

access-list dmz_nat0_outbound permit ip 192.168.237.0 255.255.255.0 192.168.180.0 255.255.255.0
access-list dmz_nat0_outbound permit ip 192.168.237.0 255.255.255.0 192.168.190.0 255.255.255.0

object network dmzA

subnet 192.168.237.0 255.255.255.0

object network DmzSA

subnet 192.168.180.0 255.255.255.0

subnet 192.168.190.0 255.255.255.0

nat (dmz,outside) source static  dmzA dmzA destination static dmzSA dmzSA

TRANSLATING last line : nat (dmz) 1 192.168.237.0 255.255.255.0 0 0

object group dmzA

 nat (dmz,outside) dynamic interface

That is my understanding of migrating these commands from pix to ASA 8.3 or later. 

if I am correct, let me know, if not explain it to me.

Regards,

With object NAT only one subnet per object. So you're likely to have to do something like the below and repeat many times if you don't want to do subnet 0.0.0.0 0.0.0.0

object network obj-158.29.152.160
   subnet 158.29.152.160 255.255.255.240
   nat (inside,outside) dynamic interface

I would use an object-group

OBJECT-GROUP NETWORK INSIDE-NET
network-object 158.29.152.160 255.255.255.240
network-object 158.29.152.128 255.255.255.224
network-object 158.29.152.192 255.255.255.224
network-object 10.237.106.0 255.255.255.128
network-object 158.29.140.0 255.255.255.128
network-object 158.29.140.128 255.255.255.128
network-object 158.29.152.0 255.255.255.128
network-object 10.237.102.0 255.255.255.0
network-object 158.29.107.0 255.255.255.0

nat (inside,outside) after-source source dynamic INSIDE-NET interface

nat (inside,dmz) after-source source dynamic INSIDE-NET interface

Test using packet-tracer

i.e.  packet-tracer input inside tcp 10.237.106.2 1024 x.x.x.x 80

With NAT0, one subnet per object

object network suba
subnet 158.29.107.0 255.255.255.0

object network suba1
subnet 158.29.108.0 255.255.255.0

object Network SubB
host 10.237.102.22

object Network SubB1
host 10.237.102.24

object network WanA
subnet 158.29.106.0 255.255.255.0

object network Srv1
host 172.29.180.48

nat (inside,outside) source static  Suba Suba destination static WanA WanA
nat (inside,outside) source static  Suba1 Suba1 destination static WanA WanA

nat (inside,outside) source static  SubB SubB destination static Srv1 Srv1
nat (inside,outside) source static  SubB1 SubB1 destination static Srv1 Srv1


Lastly

object network dmzA

subnet 192.168.237.0 255.255.255.0

object network DmzSA

subnet 192.168.180.0 255.255.255.0

object network DmzSA1
subnet 192.168.190.0 255.255.255.0

nat (dmz,outside) source static  dmzA dmzA destination static dmzSA dmzSA
nat (dmz,outside) source static  dmzA dmzA destination static dmzSA1 dmzSA1


Hopefully no typo's

Joel

Review Cisco Networking for a $25 gift card