Showing results for 
Search instead for 
Did you mean: 

Malcolm Booden

NAT / PAT config conversion from PIX v6 to ASA Software 8.3 and above

Hi folks,

I'm currently working on converting some PIX firewall configs to ASA and wanted to check I was on the right track, as I don't currently have the ASA's so doing the configs up front!

Everything seems straight forward in the conversion and I've used the pixtoasa tool for some of it, but NAT is implemented differently  on 8.3, the PIX was running v6 and I'm used to doing mainly static one to one NAT in ASDM.

The  scenario that the PIX has 3 NAT groups which are mapped to 3 separate  addresses, where multiple hosts are behint the NAT / PAT.  Current  config of the PIX is as follows (obviously the names are defined further up the config so this is an extract of the PIX):


global (outside) 1

global (outside) 2

global (outside) 3

nat (inside) 0 access-list no-nat-all

nat (inside) 2 Host_1 0 0

nat (inside) 2 Host_2 0 0

nat (inside) 2 Host_3 0 0

nat (inside) 1 Host_4 0 0

nat (inside) 1 Host_5 0 0

nat (inside) 1 Host_6 0 0

nat (inside) 1 Host_7 0 0

nat (inside) 3 Network_3 0 0


ASA Config

After a fair amount of reading up on this topic, I'm looking at changing the ASA config in software version 8.3  to the following - Also is it easier to just do this in  ASDM?  Looks pretty easy from youtube videos but rather have something  to put on the box when I arrive at site NAT wise as opposed to working  it out there!

Define NAT Objects (outside IP addreses)

object network NAT_1_outside_10.50.50.38


object network NAT_2_outside_10.50.50.39


object network NAT_3_outside_10.50.50.49



Define NAT Objects (inside IP addreses)

object-group network NAT_1_Objects

network-object Host_4

network-object Host_5

network-object Host_6

network-object Host_7

nat (inside,outside) dynamic NAT_1_outside_10.50.50.38

object-group network NAT_2_Objects

network-object Host_1

network-object Host_2

network-object Host_3

nat (inside,outside) dynamic NAT_2_outside_10.50.50.39

object-group network NAT_3_Objects

network-object Network_1

nat (inside,outside) dynamic NAT_3_outside_10.50.50.49

Any assistance with this would be appreciated.



Cisco Employee

Hi Malcolm,

You have the idea right conceptually, but the syntax is not quite right. You can only configure a NAT rule in global config mode or under an object, not under an object-group.

What you're trying to achieve would look something like this (in global config mode):

ASA(config)# nat (inside,outside) source dynamic NAT_1_Objects NAT_1_outside_10.50.50.38


I cannot make heads or tails of what your trying to accomplish in plain english first before looking at router setup.

If your talking about hosting servers behind the router on your private LAN (asssuming one public WANIP).  Then one uses ACLs to control external users by individual OR GROUP and static NAT to port forward users to the correct server.  One does not worry about groups of users for this direction of nat rule.

If what your saying is that you have a LAN and 3 different groups of users on the LAN that need to go to specific external IP addresses (external servers) then once again I would say you should ACLs to limit-authorize users and simply use NAT for port translation purposes.    So conceptually speaking allow all lan users  static nat, and then only allow group 1 hosts access to first external IP,  group 2 hosts to second external IP, and group 3 hosts to third external IP.  Note you will have to add a deny rule in firewall in general because normally higher to lower security interface is allowed by default.

Am I close......... before going any further need more details on the requirements nevermind setup.

Content for Community-Ad