05-13-2013 05:11 AM - edited 03-11-2019 06:42 PM
Hi,
I've been tasked with upgrading a PIX running v6.4 to an ASA5515X running v9.0...
I've done a few previous upgrades manually (rewrite the entire config) and all good but there is a piece of static NAT that has me confused.
How should the following look in the new config... The 10.47.0.216 has to NAT the entire object group behind the 172.19.130.2 address. Not sure of how to do this conversion with the access-list in there.
!
name 172.19.130.2 TS-SERVER
!
interface GigabitEthernet0/0
description *** OUTSIDE ***
nameif outside
!
interface GigabitEthernet0/2
description *** DMZ ***
nameif dmz-mgmt
!
object-group network CUST_LA
network-object 10.45.0.125 255.255.255.255
network-object 10.64.0.176 255.255.255.255
network-object 10.33.0.29 255.255.255.255
network-object 10.51.0.26 255.255.255.255
!
access-list LGCSB_NAT1 permit ip host 172.19.130.2 object-group CUST_LA
!
static (dmz-mgmt,outside) 10.47.0.216 access-list LGCSB_NAT1 0 0
!
Thanks
Fergal
Solved! Go to Solution.
05-13-2013 05:24 AM
Hi,
The configuration should look something like this
object-group network CUST_LA
network-object host 10.45.0.125
network-object host 10.64.0.176
network-object host 10.33.0.29
network-object host 10.51.0.26
object network CUST_LA_NATIP
host 10.47.0.216
object network CUST_LA_SOURCEIP
host 172.19.130.2
nat (dmz-mgmt,outside) source static CUST_LA_SOURCEIP CUST_LA_NATIP destination static CUST_LA CUST_LA
The above basically NATs IP 172.19.130.2 to IP 10.47.0.216 WHEN the destination is ANY of the IPs configured under CUST_LA.
Hope this helps
Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.
Ask more if needed
- Jouni
05-13-2013 05:24 AM
Hi,
The configuration should look something like this
object-group network CUST_LA
network-object host 10.45.0.125
network-object host 10.64.0.176
network-object host 10.33.0.29
network-object host 10.51.0.26
object network CUST_LA_NATIP
host 10.47.0.216
object network CUST_LA_SOURCEIP
host 172.19.130.2
nat (dmz-mgmt,outside) source static CUST_LA_SOURCEIP CUST_LA_NATIP destination static CUST_LA CUST_LA
The above basically NATs IP 172.19.130.2 to IP 10.47.0.216 WHEN the destination is ANY of the IPs configured under CUST_LA.
Hope this helps
Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.
Ask more if needed
- Jouni
05-13-2013 05:36 AM
Thanks Jouni,
That makes sense... One small question I have though is:
The 'object network CUST_LA_SOURCEIP' [172.19.130.2] is already part of a one to one NAT to another public address off the 'outside' interface for other external services. Will this matter? The NAT for the query that you answered above is part of a VPN to another customer.
!
object network OBJ-172.19.130.2
nat (dmz-mgmt,outside) static 83.x.x.x
!
Regards
F
05-13-2013 05:42 AM
Hi,
The above NAT configuration that I mentioned will only apply WHEN the destination IP address is some IP address from the the CUST_LA "object-group"
So when the source IP address is
172.19.130.2
and the destination IP address is one of the following
object-group network CUST_LA
network-object host 10.45.0.125
network-object host 10.64.0.176
network-object host 10.33.0.29
network-object host 10.51.0.26
THEN the NAT will be applied.
Rest of the traffic will use the Network Object NAT (Static NAT type configuration) for the traffic outbound or inbound on the interface "outside"
So this should NOT affect rest of the connections to the "outside" and therefore NOT cause problems to the Static NAT
- Jouni
05-13-2013 07:16 AM
Thanks for your help Jouni. Very efficient.
05-13-2013 07:24 AM
No problem, thank you for marking the reply as correct.
If you happen to run into some problem with NAT configurations you can always ask here and see if there is someone that can help.
I also went with the same approach to configuration conversion as you right from the start. I also do them manually because that is the way you learn the most about the NAT operation.
If you want to take a look, I made a NAT 8.3+ Document here in the Firewall/Document section. Though at this stage it only contains simple examples you probably know all already. When I have the energy and time to get more into it I will expand on the examples and the whole document.
https://supportforums.cisco.com/docs/DOC-31116
- Jouni
05-17-2013 05:56 AM
Hi Jouni,
I have completed what I hope is correct. If you have a chance could you throw your eye over it can point out any mistakes I may have in my manual conversion? I'm moving from a PIX v6.4 to ASA5515x v9.02 that has 3000+ lines
I've simplified the example but it covers everything and you can assume that all the Objects and ACLs with real IPs are created.
Thanks a million
F
#########
ORIGINAL
#########
!
interface gig0/0
ip address X.Y.Z.2 255.255.255.224
nameif outside
!
interface gig0/1
nameif dmz-mon
ip address 172.19.131.1 255.255.255.0
!
interface gig0/2
nameif inside2
ip address 192.168.122.248 255.255.255.0
!
interface gig0/3
nameif dmz-mgmt
ip address 172.19.130.1 255.255.255.0
!
interface gig0/4
nameif dot
ip address 1.1.1.1 255.255.255.0
!
interface gig0/5
nameif ext-lan
ip address 172.19.132.1 255.255.255.0
!
access-list nonat permit ip 172.19.130.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list nonat permit ip 172.19.130.0 255.255.255.0 10.1.1.0 255.255.255.0
!
access-list nonat-inside2 permit ip 192.168.122.0 255.255.255.0 192.168.14.0 255.255.255.0
access-list nonat-inside2 permit ip 10.98.0.0 255.255.0.0 192.168.13.0 255.255.255.0
!
global (outside) 1 X.Y.Z.5 netmask 255.255.255.255
nat (dmz-mon) 1 0.0.0.0 0.0.0.0 0 0
nat (inside2) 1 0.0.0.0 0.0.0.0 0 0
nat (ext-lan) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz-mgmt) 0 access-list nonat
nat (inside2) 0 access-list nonat-inside2
!
static (dmz-mon,outside) X.Y.Z.19 172.19.131.19 netmask 255.255.255.255 0 0
static (dmz-mon,outside) X.Y.Z.18 172.19.131.9 netmask 255.255.255.255 0 0
static (dmz-mon,outside) X.Y.Z.24 172.19.131.24 netmask 255.255.255.255 0 0
static (dmz-mon,outside) X.Y.Z.7 172.19.131.26 netmask 255.255.255.255 0 0
static (dmz-mon,outside) X.Y.Z.12 172.19.131.12 netmask 255.255.255.255 0 0
static (dmz-mon,outside) X.Y.Z.20 172.19.131.49 netmask 255.255.255.255 0 0
static (dmz-mon,outside) X.Y.Z.3 172.19.131.13 netmask 255.255.255.255 0 0
!
static (inside2,outside) X.Y.Z.9 192.168.122.200 netmask 255.255.255.255 0 0
static (inside2,outside) X.Y.Z.8 192.168.122.132 netmask 255.255.255.255 0 0
static (inside2,outside) X.Y.Z.6 192.168.122.1 netmask 255.255.255.255 0 0
!
static (dmz-mgmt,outside) X.Y.Z.4 172.19.130.2 netmask 255.255.255.255 0 0
static (dmz-mgmt,outside) 10.47.0.216 access-list CUST_LA 0 0
!
### UNSURE WHY THIS IS HERE ###
static (inside2,dmz-mgmt) 192.168.121.0 192.168.121.0 netmask 255.255.255.0 0 0
static (inside2,dmz-mgmt) 10.17.42.128 10.17.42.128 netmask 255.255.255.128 0 0
static (inside2,dmz-mgmt) 192.168.124.0 192.168.124.0 netmask 255.255.255.0 0 0
static (inside2,dmz-mgmt) 10.98.0.0 10.98.0.0 netmask 255.255.0.0 0 0
static (inside2,dmz-mgmt) 192.168.122.0 192.168.122.0 netmask 255.255.255.0 0 0
static (inside2,dot) 192.168.121.0 192.168.121.0 netmask 255.255.255.0 0 0
static (inside2,dot) 192.168.122.0 192.168.122.0 netmask 255.255.255.0 0 0
static (inside2,dot) 10.98.0.0 10.98.0.0 netmask 255.255.0.0 0 0
static (inside2,ext-lan) 192.168.121.0 192.168.121.0 netmask 255.255.255.0 0 0
static (inside2,ext-lan) 192.168.122.0 192.168.122.0 netmask 255.255.255.0 0 0
static (inside2,ext-lan) 10.98.0.0 10.98.0.0 netmask 255.255.0.0 0 0
static (inside2,dmz-mon) 10.99.0.0 10.99.0.0 netmask 255.255.0.0 0 0
### UNSURE WHY THIS IS HERE ###
!
###########
PROPOSED
###########
!
interface gig0/0
ip address X.Y.Z.2 255.255.255.224
nameif outside
!
interface gig0/1
nameif dmz-mon
ip address 172.19.131.1 255.255.255.0
!
interface gig0/2
nameif inside2
ip address 192.168.122.248 255.255.255.0
!
interface gig0/3
nameif dmz-mgmt
ip address 172.19.130.1 255.255.255.0
!
interface gig0/4
nameif dot
ip address 1.1.1.1 255.255.255.0
!
interface gig0/5
nameif ext-lan
ip address 172.19.132.1 255.255.255.0
!
nat (dmz-mgmt,outside) source static OBJ-172.19.130.2 OBJ-10.47.0.216 destination static CUST_LA CUST_LA
nat (dmz-mgmt,outside) source static OBJ-172.19.130.0 OBJ-172.19.130.0 destination static OBJ-10.1.0.0 OBJ-10.1.0.0 no-proxy-arp route-lookup
nat (dmz-mgmt,outside) source static OBJ-172.19.130.0 OBJ-172.19.130.0 destination static OBJ-10.1.1.0 OBJ-10.1.0.0 no-proxy-arp route-lookup
nat (inside2,outside) source static OBJ-192.168.122.0 OBJ-192.168.122.0 destination static OBJ-192.168.14.0 OBJ-192.168.14.0 no-proxy-arp route-lookup
nat (inside2,outside) source static OBJ-10.98.0.0 OBJ-10.98.0.0 destination static OBJ-192.168.13.0 OBJ-192.168.13.0 no-proxy-arp route-lookup
!
object network ANY-1
nat (dmz-mon,outside) dynamic interface
object network ANY-2
nat (inside2,outside) dynamic interface
object network ANY-3
nat (ext-lan,outside) dynamic interface
object network OBJ-172.19.131.19
nat (dmz-mon,outside) static X.Y.Z.19
object network OBJ-172.19.131.9
nat (dmz-mon,outside) static X.Y.Z.18
object network OBJ-172.19.131.24
nat (dmz-mon,outside) static X.Y.Z.24
object network OBJ-172.19.131.26
nat (dmz-mon,outside) static X.Y.Z.7
object network OBJ-172.19.131.12
nat (dmz-mon,outside) static X.Y.Z.12
object network OBJ-172.19.131.13
nat (dmz-mon,outside) static X.Y.Z.3
object network OBJ-192.168.122.1
nat (inside2,outside) static X.Y.Z.6
object network OBJ-192.168.122.132
nat (inside2,outside) static X.Y.Z.8
object network OBJ-192.168.122.200
nat (inside2,outside) static X.Y.Z.9
object network OBJ-172.19.130.2
nat (dmz-mgmt,outside) static X.Y.Z.4
!
05-17-2013 09:10 AM
Hi,
I dont really see any error in the above with a quick glance.
Here is how I prefer to configure the Default PAT for all my local interface (it can naturally be used for VPN Client Dynamic PAT towards Internet also if clients are using full tunnel)
We can for example define the source addresses within an "object-group" and use and "object network" for the PAT IP address since we are not using the "interface" IP address of "outside"
object-group network DEFAULT-PAT-SOURCE
network-object
network-object
network-object
object network PAT
host x.y.z.w
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE PAT
If you simply want to allow "any" source address to be Dynamic PATed to the IP address then you can use this format to do it with a single "nat" configuration also (Instead of the Network Object NAT you have used above)
object network PAT
host x.y.z.w
nat (any,outside) after-auto source dynamic any PAT
With regards to the NAT configurations that arent clear to you.
### UNSURE WHY THIS IS HERE ###
static (inside2,dmz-mgmt) 192.168.121.0 192.168.121.0 netmask 255.255.255.0 0 0
static (inside2,dmz-mgmt) 10.17.42.128 10.17.42.128 netmask 255.255.255.128 0 0
static (inside2,dmz-mgmt) 192.168.124.0 192.168.124.0 netmask 255.255.255.0 0 0
static (inside2,dmz-mgmt) 10.98.0.0 10.98.0.0 netmask 255.255.0.0 0 0
static (inside2,dmz-mgmt) 192.168.122.0 192.168.122.0 netmask 255.255.255.0 0 0
static (inside2,dot) 192.168.121.0 192.168.121.0 netmask 255.255.255.0 0 0
static (inside2,dot) 192.168.122.0 192.168.122.0 netmask 255.255.255.0 0 0
static (inside2,dot) 10.98.0.0 10.98.0.0 netmask 255.255.0.0 0 0
static (inside2,ext-lan) 192.168.121.0 192.168.121.0 netmask 255.255.255.0 0 0
static (inside2,ext-lan) 192.168.122.0 192.168.122.0 netmask 255.255.255.0 0 0
static (inside2,ext-lan) 10.98.0.0 10.98.0.0 netmask 255.255.0.0 0 0
static (inside2,dmz-mon) 10.99.0.0 10.99.0.0 netmask 255.255.0.0 0 0
### UNSURE WHY THIS IS HERE ###
To me the above seem all to be Static Identity NAT. Basically translating the network to itself. Generally there is no need for NAT between local interface. I mean interfaces like LANs, DMZs, etc.
The older software ASAs usually might have had a configuration command "nat-control" enabled. (This would be located above the first "global" command in the CLI format) Having this setting enabled means that all traffic needed NAT so the above type of configurations were typically configured to overcome the "nat-control" setting.
In all my conversions to higher software level I have ALWAYS left out these type of NAT configurations. This is because the new software doesnt have any concept of "nat-control" anymore. So if you dont have any NAT configurations between your local interfaces then all traffic will be able to flow through the ASA with their original IP addresses (provided other ASA rules allow this)
So I would say that only configure NAT between your local interface if you specifically need to NAT a local IP address to something else before the traffic heads out another interface.
Usually leaving this type of NAT configurations have quite nicely shortened the NAT configurations for the ASA after conversion.
My usualy steps when starting a conversion is to just go through the current NAT old format NAT configurations and define how its supposed to work in general.
I usually start by removing the above type Static Identity NAT configurations completely.
I might follow with collecting the Dynamic PAT configurations and all Static NAT/PAT configurations between local and "outside" interface and convert those to the new format.
Finally I look at the NAT0 and Policy NAT/PAT configurations and any other special cases. The command "packet-tracer" is a great command to confirm if some traffic would hit the correct NAT rule. Though in your case the original firewalls software level is so low that it doesnt support that command so you arent able to compare the result using that command atleast.
Hope this helps
- Jouni
05-21-2013 04:53 AM
Thanks again Jouni. I'll let you know how the migration works out!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide