Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
495
Views
0
Helpful
6
Replies

NAT 8.4 question

Rolando Valenzuela
Level 4
Level 4

‎08-08-2016 11:02 AM - edited ‎03-12-2019 01:06 AM

Hello community!
According to firewall migration tool that cisco provides (https://fwm.cisco.com) I need to this the following change:

##### 8.2 code #####
static (inside,outside) tcp 50.50.50.50 https 10.34.4.11 32030 netmask 255.255.255.255
!
access-list outside extended permit tcp object-group public-ips host 50.50.50.50 eq https

##### 8.4 code #####
object network obj-10.34.4.11-48
host 10.34.4.11
nat (inside,outside) static 50.50.50.50 service tcp 32030 https
!
access-list outside remark Migration, ACE (line 671) expanded: permit tcp object-group public-ips host 50.50.50.50
access-list outside extended permit tcp 60.60.60.60 255.255.255.252 host 10.34.4.11 eq 32030
access-list outside extended permit tcp 70.70.70.0 255.255.255.0 host 10.34.4.11 eq 32030
access-list outside extended permit tcp 80.80.80.0 255.255.255.0 host 10.34.4.11 eq 32030
access-list outside extended permit tcp 90.90.90.0 255.255.255.0 host 10.34.4.11 eq 32030
access-list outside remark Migration: End of expansion

I know that the practice now is to uses the private IP on the inside and outside interface for consistency, but it will still work with the ACL used on 8.2 code, right?

Thanks!

Rolando A. Valenzuela

Labels:
0 Helpful
6 Replies 6

Rolando Valenzuela
Level 4
Level 4

‎08-09-2016 10:00 AM

Bump

0 Helpful

Rolando Valenzuela
Level 4
Level 4
In response to Rolando Valenzuela

‎08-24-2016 06:03 AM

anyone? :( after some testing I believe it will not work :( is there a workaround?

Thank you!

0 Helpful

pradypan
Cisco Employee
Cisco Employee
In response to Rolando Valenzuela

‎08-25-2016 01:17 AM

Hi Ronaldo,

The flow on ASA has been changed post 8.3 where NAT untranslation for destination happens before it check for the access rules. Thus the access rule applied on 8.2 won't help.

In 8.2 we do allow flow coming from outside to inside over Public (Mapped) IP since the access rules do match first and then NAT untranslation happens. But post 8.3, you need to create a rule on Real IP address and not on Mapped IP address to allow the flow.

Please refer the below document to understand the flow pre and post 8.3.

https://learningnetwork.cisco.com/thread/46543

Regards
Pradyumna

0 Helpful

Rolando Valenzuela
Level 4
Level 4
In response to pradypan

‎08-25-2016 07:40 AM

Thank you both!

Pradypan, regarding the flow, after a lot of testing I find out that the ACLs used by crypto maps need the mapped IP :( and not the real one (if no nat is allowed) so that kinds of mess all my configuration making this migration harder for me.

Thanks for the the documentation.

Regards.

0 Helpful

ccorreap
Cisco Employee
Cisco Employee
In response to Rolando Valenzuela

‎08-25-2016 01:01 PM

Hello Rolando,

Just as Pradypan stated, in 8.3 and up the flow changed and now NAT takes precedence over ACL look up, hence the need to reference the real IP address. Also it should be noted that when upgrading from 8.2 to 8.4.7 the ASA takes care of the migration process and changes the ACLs and NAT statement as needed.

Curiously the crypto map config does not change from one version to another so it should be the same on both version.

Regards,

0 Helpful

Pawan Raut
Level 4
Level 4
In response to Rolando Valenzuela

‎08-25-2016 05:06 AM

I am not much expert in it but I did recent Migration of many ASA 8.2 to 8.4 above and as per my experienced we need Internal Private IP address in ACLs and not the natted one. So your 8.4 nat and acl looks good to me.

Regards,

Pawan (CCIE 52104)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card