Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
506
Views
2
Helpful
4
Replies

nat conversion

Go to solution
mickyq
Level 1
Level 1

‎09-25-2015 07:03 AM - edited ‎03-11-2019 11:39 PM

Hi

Im busy working through converting an 8.2 config to the new nat procedures.

can someone clarify if my interpretation of this nat is correct please.

 

8.2

nat (dmz) 0 10.1.1.0 255.255.255.0

 

8.4 upwards

object network OBJ-10.1.1.0-24

     subnet 10.1.1.0 255.255.255.0

 

nat (dmz,any) after-auto source static OBJ-10.1.1.0-24 OBJ-10.1.1.0-24

 

Im placing it after any other nats in section 3.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Henrik Grankvist
Level 4
Level 4

‎09-26-2015 12:57 PM

Hi

I haven't worked with NAT pre-8.2, so I'm not really comfortable with it.

But I think that in pre-8.2 NAT you did identity NAT because of NAT control, meaning you have to have a NAT statement or the traffic wont pass the ASA. That is not the case anymore. So if you want traffic to go from the DMZ to the inside you don't need a NAT statement for it.

So without knowing how your network looks like, I would say you do not need that NAT rule you are describing.

View solution in original post

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7
In response to Pulkit Saxena

‎09-27-2015 11:36 AM 

nat (dmz,any) after-auto source static OBJ-10.1.1.0-24 OBJ-10.1.1.0-24

 

It's OK but I prefer section 1 (i. e. without after-auto)

 

However, noNAT / identity NAT statements should usually be restricted to RFC1918 destination subnets. Your example may not enable DMZ hosts' traffic to the Internet to be NATed.

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Pulkit Saxena
Cisco Employee
Cisco Employee

‎09-25-2015 08:26 AM

Hi,

The new NAT statement that you are applying is a static translation to its own.

Please check this link for difference in statements in 8.2 and 8.3  and above :

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

 

Regards,

Pulkit Saxena

Go to solution
Peter Koltl
Level 7
Level 7
In response to Pulkit Saxena

‎09-27-2015 11:36 AM 

nat (dmz,any) after-auto source static OBJ-10.1.1.0-24 OBJ-10.1.1.0-24

 

It's OK but I prefer section 1 (i. e. without after-auto)

 

However, noNAT / identity NAT statements should usually be restricted to RFC1918 destination subnets. Your example may not enable DMZ hosts' traffic to the Internet to be NATed.

 

0 Helpful

Go to solution
Henrik Grankvist
Level 4
Level 4

‎09-26-2015 12:57 PM

Hi

I haven't worked with NAT pre-8.2, so I'm not really comfortable with it.

But I think that in pre-8.2 NAT you did identity NAT because of NAT control, meaning you have to have a NAT statement or the traffic wont pass the ASA. That is not the case anymore. So if you want traffic to go from the DMZ to the inside you don't need a NAT statement for it.

So without knowing how your network looks like, I would say you do not need that NAT rule you are describing.

0 Helpful

Go to solution
mickyq
Level 1
Level 1

‎09-28-2015 12:37 AM

Thanks for you replies guys.

I believe you are all correct.

What I think ill do is not apply this nat unless I come across any problems. I can then try applying it to section 1.

 

Thanks again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card