NAT 8.0 to 9.2 convert help

burleyman · ‎11-25-2014

I have the below config on ASA 8.0 I need to convert it to 9.2

name 10.2.17.80 BV-DVR
name 10.2.13.80 SE-DVR
name 10.2.23.80 ES-DVR
name 10.2.10.80 NW-DVR
name 10.2.10.81 NW-DVR2
name 10.2.1.76 C-DVR1
name 10.2.1.78 C-DVR2
name 10.2.1.80 C-DVR3
name 10.2.19.80 WS-DVR1
name 10.2.19.81 WS-DVR2
name 10.2.15.80 SW-DVR
name 10.2.11.80 M-DVR

object-group network Camera_DVRs
network-object host SE-DVR
network-object host BV-DVR
network-object host ES-DVR
network-object host C-DVR1
network-object host C-DVR2
network-object host C-DVR3
network-object host WS-DVR1
network-object host WS-DVR2
network-object host NW-DVR
network-object host NW-DVR2
network-object host SW-DVR
network-object host M-DVR

object-group service DM_INLINE_TCP_2 tcp
port-object eq 8000
port-object eq www
port-object eq 8001
port-object eq 8100
port-object eq 8101
port-object eq 8200
port-object eq 8201
port-object eq 8202
port-object eq 8203
port-object eq 8300
port-object eq 8301
port-object eq 8400
port-object eq 8401
port-object eq 8402
port-object eq 8403
port-object eq 8404
port-object eq 8405
port-object eq 8500
port-object eq 8501
port-object eq 8502
port-object eq 8503
port-object eq 8600
port-object eq 8700
object-group service DM_INLINE_TCP_3 tcp
port-object eq 8000
port-object eq www
port-object eq 8300
port-object eq 8301
port-object eq 8400
port-object eq 8401
port-object eq 8402
port-object eq 8403
port-object eq 8404
port-object eq 8405
port-object eq 8500
port-object eq 8501
port-object eq 8502
port-object eq 8503
port-object eq 8600
port-object eq 8700

access-list 200 extended permit tcp any host 1.1.1.172 object-group DM_INLINE_TCP_2
access-list 200 extended permit tcp object-group Camera_DVRs host 1.1.1.172 object-group DM_INLINE_TCP_3

static (inside,outside) tcp 1.1.1.172 8000 BV-DVR 8000 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8001 BV-DVR 8001 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8100 SE-DVR 8100 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8101 SE-DVR 8101 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8200 NW-DVR 8200 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8201 NW-DVR 8201 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8202 NW-DVR2 8202 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8203 NW-DVR2 8203 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8300 ES-DVR 8300 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8301 ES-DVR 8301 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8400 C-DVR1 8400 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8401 C-DVR1 8401 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8402 C-DVR2 8402 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8403 C-DVR2 8403 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8404 C-DVR3 8404 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8405 C-DVR3 8405 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8500 WS-DVR1 8500 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8501 WS-DVR1 8501 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8502 WS-DVR2 8502 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8503 WS-DVR2 8503 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8600 M-DVR 8600 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8700 SW-DVR 8700 netmask 255.255.255.255

Here is a bit of what I think I need to do....

object network OBJ-10.2.17.80
host 10.2.17.80
object network OBJ-1.1.1.172
host 1.1.1.172
object service OBJ-TCP-8000
service TCP source eq 8000
object service OBJ-TCP-8000
service TCP source eq 8000

nat (inside,outside) source static OBJ-10.2.17.80 OBJ-1.1.1.172 service OBJ-TCP-8000 OBJ-TCP-8000

access-list outside_access_in extended permit tcp any4 object OBJ-10.2.17.80 eq 8000

Thanks,

Mike

Vibhor Amrodia · ‎11-26-2014

Hi,

I think the above way will work. If you want , you can actually make it shorter by using Range of ports[consecutive ports] in the NAT statement itself.

For ex:-

object service obj
service tcp source range 8400 8405

nat (inside,outside) source static OBJ-10.2.17.80 OBJ-1.1.1.172 service obj obj

And you can use the same in ACL as well.

Thanks and Regards,

Vibhor Amrodia

burleyman · ‎12-01-2014

Vibhor,

Thanks for your help.

Mike

johnlloyd_13 · ‎11-27-2014

Hi Mike,

This is out of topic but our ASA also has the "DM_INLINE."

The previous engineer also did a similar setup on one of our ASA.

My question is what does "DM INLINE" stands for or mean?

burleyman · ‎12-01-2014

I did not create the above config, If I did I would never have "DM_INLINE" on anything. It is a default naming for Cisco when objects are created via ASDM and lazy or inexperienced engineers do not correct that. Also auditors do not like such in-descriptive names. I do not like this default behavior at all and do most everything via CLI, much better and much more control. It would be better when using ASDM and creating these it does not put a default name in but forces you to enter something.

Mike

johnlloyd_13 · ‎12-01-2014

thanks mike! :)

the engineer before me maybe did most of his config via ASDM.