07-24-2015 01:47 AM - edited 03-11-2019 11:19 PM
Hi, I'm new to firewalling
I'm trying to upgrade from ASA Ver 7.1(2) to ASA Version 9.2(2)4
Im having trouble with global NAT
I have the following config
access-list nonat extended permit ip any any
nat (inside) 0 access-list nonat
However new version of ASA replied that the syntax is deprecated.
Thanks
07-24-2015 02:35 AM
Hi,
For example, if you have this natting :-
nat (inside) 0 access-list nat_exemption
access-list nat_exemption extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
This translates to the following syntax:-
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-10.0.0.0
subnet 10.0.0.0 255.255.255.0
Therefore , in your case of nat exemption, you may use
nat (inside,any) source static any any
NOTE :- You might want to change "any" to a specific interface as well.(Not mandatory)
Here is a document for your reference:-
http://www.packetu.com/2012/01/31/migrating-asa-nat-exemption-configuration/
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-25-2015 12:34 AM
Thank you for the information
I tried to input nat (inside,any) source static any any
however i cannot reach the clients connected on outside interface.
But fortunately i found the solution on my problem.
i used the below commands and the problem was fixed
object network obj_any
nat (inside,inside) dynamic interface
Thank you
07-25-2015 12:48 AM
That's not nat-exemption, you are PATing your traffic to the interface IP.
07-24-2015 04:41 AM
Please read the following document:
It's more or less the reference for switching from pre 8.3-NAT to 8.3 and above-NAT.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide