Solved: NAT configuration on PIX to ASA

Ninad Thakare · ‎07-11-2014

Hi,

I have below configuration on my PIX 8.0 which I want to convert into ASA 9.1 :

nat (Cust-DMZ) 0 access-list Cust-DMZ_nat0_outbound

access-list Cust-DMZ_nat0_outbound extended permit ip host 10.2.1.175 host 10.10.49.30
access-list Cust-DMZ_nat0_outbound extended permit ip host 1.1.1.58 host 1.1.1.57
access-list Cust-DMZ_nat0_outbound extended permit ip host 172.29.83.2 host 172.29.83.1
access-list Cust-DMZ_nat0_outbound extended permit ip host 202.138.123.75 host 10.10.11.20
access-list Cust-DMZ_nat0_outbound extended permit ip host 10.14.1.11 host 10.10.50.150

And, there is no "NAT (global) 0 " command in PIX for this configuration.

How can I use this in ASA..?

Regards,

Ninad

Jouni Forss · ‎07-11-2014

Hi,

The configurations is going to be bigger atleast. I did like the NAT0 more in the old software when you could use the ACL configuration to handle it and not bloat the NAT configuration needlesly.

There are some strange ACEs in that ACL. I mean the rules where the source and destination seem to be either from the same subnet or just simply host address (perhaps loopback interface IP addresses somewhere in the network?) that wouldnt expect to use the firewall to communicate? Though I will assume those configurations are needed.

You could try the following configuration though I naturally suggest perhaps coming with some other naming policy for the "object" configuration if needed.

object network HOST-10.2.1.175
host 10.2.1.175

object network HOST-10.10.49.30
host 10.10.49.30

object network HOST-1.1.1.58
host 1.1.1.58

object network HOST-1.1.1.57
host 1.1.1.57

object network HOST-172.29.83.2
host 172.29.83.2

object network HOST-172.29.83.1
host 172.29.83.1

object network HOST-202.138.123.75
host 202.138.123.75

object network HOST-10.10.11.20
host 10.10.11.20

object network HOST-10.14.1.11
host 10.14.1.11

object network HOST-10.10.50.150
host 10.10.50.150

nat (Cust-DMZ,any) source static HOST-10.2.1.175 HOST-10.2.1.175 destination static HOST-10.10.49.30 HOST-10.10.49.30
nat (Cust-DMZ,any) source static HOST-1.1.1.58 HOST-1.1.1.58 destination static HOST-1.1.1.57 HOST-1.1.1.57
nat (Cust-DMZ,any) source static HOST-172.29.83.2 HOST-172.29.83.2 destination static HOST-172.29.83.1 HOST-172.29.83.1
nat (Cust-DMZ,any) source static HOST-202.138.123.75 HOST-202.138.123.75 destination static HOST-10.10.11.20 HOST-10.10.11.20
nat (Cust-DMZ,any) source static HOST-10.14.1.11 HOST-10.14.1.11 destination static HOST-10.10.50.150 HOST-10.10.50.150

Notice that I configured the destination interface as "any". With that setting it should define the destination interface based on your ASAs routing table. I personally tend to define that interface but can't do that in this case as I cant see your routing configuration or routing table.

If you want to read up some on the new NAT configuration format you can check a document that I wrote in 2013.

Sadly the update to these forums also changed the layout of the document a bit some things aren't really as I wish them to be.

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Hope this helps :)

- Jouni

View solution in original post

Jouni Forss · ‎07-11-2014

Hi,

The configurations is going to be bigger atleast. I did like the NAT0 more in the old software when you could use the ACL configuration to handle it and not bloat the NAT configuration needlesly.

There are some strange ACEs in that ACL. I mean the rules where the source and destination seem to be either from the same subnet or just simply host address (perhaps loopback interface IP addresses somewhere in the network?) that wouldnt expect to use the firewall to communicate? Though I will assume those configurations are needed.

You could try the following configuration though I naturally suggest perhaps coming with some other naming policy for the "object" configuration if needed.

object network HOST-10.2.1.175
host 10.2.1.175

object network HOST-10.10.49.30
host 10.10.49.30

object network HOST-1.1.1.58
host 1.1.1.58

object network HOST-1.1.1.57
host 1.1.1.57

object network HOST-172.29.83.2
host 172.29.83.2

object network HOST-172.29.83.1
host 172.29.83.1

object network HOST-202.138.123.75
host 202.138.123.75

object network HOST-10.10.11.20
host 10.10.11.20

object network HOST-10.14.1.11
host 10.14.1.11

object network HOST-10.10.50.150
host 10.10.50.150

nat (Cust-DMZ,any) source static HOST-10.2.1.175 HOST-10.2.1.175 destination static HOST-10.10.49.30 HOST-10.10.49.30
nat (Cust-DMZ,any) source static HOST-1.1.1.58 HOST-1.1.1.58 destination static HOST-1.1.1.57 HOST-1.1.1.57
nat (Cust-DMZ,any) source static HOST-172.29.83.2 HOST-172.29.83.2 destination static HOST-172.29.83.1 HOST-172.29.83.1
nat (Cust-DMZ,any) source static HOST-202.138.123.75 HOST-202.138.123.75 destination static HOST-10.10.11.20 HOST-10.10.11.20
nat (Cust-DMZ,any) source static HOST-10.14.1.11 HOST-10.14.1.11 destination static HOST-10.10.50.150 HOST-10.10.50.150

Notice that I configured the destination interface as "any". With that setting it should define the destination interface based on your ASAs routing table. I personally tend to define that interface but can't do that in this case as I cant see your routing configuration or routing table.

If you want to read up some on the new NAT configuration format you can check a document that I wrote in 2013.

Sadly the update to these forums also changed the layout of the document a bit some things aren't really as I wish them to be.

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Hope this helps :)

- Jouni