nat (inside) 0 access-list nonat deprecated

John Jenard Valencia · ‎07-24-2015

Hi, I'm new to firewalling

I'm trying to upgrade from ASA Ver 7.1(2) to ASA Version 9.2(2)4

Im having trouble with global NAT

I have the following config

access-list nonat extended permit ip any any

nat (inside) 0 access-list nonat

However new version of ASA replied that the syntax is deprecated.

Thanks

Dinesh Moudgil · ‎07-24-2015

Hi,

For example, if you have this natting :-
nat (inside) 0 access-list nat_exemption
access-list nat_exemption extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

This translates to the following syntax:-
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-10.0.0.0
subnet 10.0.0.0 255.255.255.0

Therefore , in your case of nat exemption, you may use

nat (inside,any) source static any any

NOTE :- You might want to change "any" to a specific interface as well.(Not mandatory)

Here is a document for your reference:-
http://www.packetu.com/2012/01/31/migrating-asa-nat-exemption-configuration/

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

John Jenard Valencia · ‎07-25-2015

Thank you for the information

I tried to input nat (inside,any) source static any any

however i cannot reach the clients connected on outside interface.

But fortunately i found the solution on my problem.

i used the below commands and the problem was fixed

object network obj_any

nat (inside,inside) dynamic interface

Thank you

Karsten Iwen · ‎07-25-2015

That's not nat-exemption, you are PATing your traffic to the interface IP.

Karsten Iwen · ‎07-24-2015

Please read the following document:

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

It's more or less the reference for switching from pre 8.3-NAT to 8.3 and above-NAT.