Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1171
Views
5
Helpful
3
Replies

NAT command conversion PIX 6.3 > 8.4(2)

Go to solution
hattster5
Level 1
Level 1

‎12-29-2011 12:36 PM - edited ‎03-11-2019 03:08 PM

Hello,

I am in the process of migrating a production firewall from PIX 6.3 to ASA 8.4(2). This is going to be a complete firewall rebuild and I will not be upgrading the configs because they have become out of date and very bloated. I am in the process of converting the NAT commands and I was hoping somebody could verify my conversions. Please see the old and new commands below.

-----------OLD Commands-----------

global (outside) 1 interface

global (intApps) 2 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 2 10.1.1.233 255.255.255.255 0 0

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (inside,intApps) 10.1.2.0 10.1.2.0 netmask 255.255.255.0 0 0

static (inside,intApps) 10.1.3.0 10.1.3.0 netmask 255.255.255.0 0 0

static (inside,intApps) 10.1.4.0 10.1.4.0 netmask 255.255.255.0 0 0

static (inside,intApps) 172.1.1.176 10.1.5.176 netmask 255.255.255.240 0 0

static (inside,intApps) 172.1.2.176 10.1.6.176 netmask 255.255.255.240 0

---------------------------------NEW Commands-------------------------------------------------

object network host_1

        host 10.1.1.233

nat (inside,intapps) dynamic interface

object network NAT-Range-Network_1

        subnet 172.1.1.177 172.1.1.190

object network Network_1

        subnet 10.1.5.176 255.255.255.240

nat (inside,intapps) static NAT-Range-Network_1

object network NAT-Range-Network_2

        subnet 172.1.2.177 172.1.2.190

object network Network_2

        subnet 10.1.6.176 255.255.255.240

nat (inside,intapps) static NAT-Range-Network_2

-----------------------------------------------------------------------------------------------------

I am hoping these commands would be enough to replicate the previous functionality. I removed all the static identity NATs because NAT control is no longer in place so those rules are not required. Additionally I didn't re-create the rules that had NAT ID 0 or 1 because it didn't look like they were doing anything.

Also can someone please let me know if that is the correct way to do the static NAT commands at the bottom.

Please let me know if this configuration will work or where I need to correct some things.

Thanks!

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-29-2011 03:08 PM

Hello,

This will not work:

object network NAT-Range-Network_2

        subnet 172.1.2.177 172.1.2.190

object network NAT-Range-Network_1

        subnet 172.1.1.177 172.1.1.190

You got to use a netmask, the subnet keyword is to define as it name says a subnet not a range of ip addresses, so you need to change that, besides that everything is okay.

Regarding the static question, yes. That is how you do it!

Regards,

Do rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-29-2011 03:08 PM

Hello,

This will not work:

object network NAT-Range-Network_2

        subnet 172.1.2.177 172.1.2.190

object network NAT-Range-Network_1

        subnet 172.1.1.177 172.1.1.190

You got to use a netmask, the subnet keyword is to define as it name says a subnet not a range of ip addresses, so you need to change that, besides that everything is okay.

Regarding the static question, yes. That is how you do it!

Regards,

Do rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
hattster5
Level 1
Level 1
In response to Julio Carvajal

‎12-29-2011 03:24 PM

O haha thats embarassing I actually had the netmask created properly in my config. Although I initially had the range command here because I had initially created the NAT command as dynamic instead of static and I updated the range command to subnet but forgot to do the mask :/

Just to verify if I update the mask properly these NAT commands should work identically to the other commands and nothing else is needed to replicate the previous NAT implementation?

Thanks!

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to hattster5

‎12-29-2011 03:27 PM

Hello,

That is correct, that is all you need and you will be ready,

Please mark the question as answered unless you have other question, I will be more than glad to help.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card