Re: nat0 and identity nat on ASA 8.6

krmenon · ‎08-02-2013

Hello all,

I am trying to convert the configurations of PIX 6.3.x to ASA software version 8.6.

I notice that version 8.6 has a different NAT behaviour and configuration from its previous ASA versions.

I have already used the tool and converted the configurations. Can you please advise if NAT was converted fine and if it’s ok to remove nat0 and identity nat on the new ASA 8.6?

Thanks in advance,

Kris...

Karsten Iwen · ‎08-03-2013

nat0 is done with "twice NAT" on ASA v8.3+. Here is the config-guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_rules.html

If you need any more help, then just post your NAT-config.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

krmenon · ‎08-03-2013

Hello Karsten,

Appreciate your quick response....

Here is the NAT-config as requested...please let me know if you need more.

global (outside) 1 10.248.46.248
global (outside) 2 10.248.46.249
global (outside) 3 10.248.46.252
nat (inside) 3 access-list cacti-NAT 0 0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (dcndmz) 0 access-list dmznated
nat (dcndmz) 1 192.168.240.129 255.255.255.255 0 0
nat (dcndmz) 2 192.168.240.132 255.255.255.255 0 0
nat (corp2dcndmz) 0 0.0.0.0 0.0.0.0 0 0
nat (corpdmz) 0 0.0.0.0 0.0.0.0 0 0

Rgds,

Kris...

pankaj29in · ‎08-03-2013

HI,

nat (dcndmz) 1 192.168.240.129 255.255.255.255 0 0
global (outside) 1 10.248.46.248
will get replaced by
Object Network IP_192.168.240.129
host 192.168.240.129
nat (inside, outside) static 10.248.46.248

nat (dcndmz) 2 192.168.240.132 255.255.255.255 0 0
global (outside) 2 10.248.46.249

will get replaced by
Object Network IP_192.168.240.132
host 192.168.240.132
nat (inside, outside) static 10.248.46.249

For Nat 0 you can use twice Nat as per below example.

nat(inside,outside) static source IP_192.168.240.129 IP_192.168.240.129 destination static IP_10.248.46.248 IP_10.248.46.248

Let me know if you need anything else or else kinldy post 3rd Nat information i.e. access-list.

Cheers!!

Pankaj

krmenon · ‎08-03-2013

Hello Pankaj,

Thanks for the inputs... I will accept the offier for access list...so here it goes..

access-list corpdcn deny tcp host 10.248.40.230 any 
access-list corpdcn permit udp object-group corp-ntp-servers object-group dcn-ntp-servers eq ntp 
access-list corpdcn permit tcp object-group retail-stores host 192.168.240.197 eq 135 
access-list corpdcn permit ip host 10.248.61.14 192.168.2.0 255.255.255.0 log 2 
access-list corpdcn permit ip host 10.248.61.12 192.168.2.0 255.255.255.0 log 2 
access-list corpdcn permit tcp 10.248.0.0 255.248.0.0 object-group datastagesrvrs object-group datastage 
access-list corpdcn permit ip host 10.248.61.14 192.168.130.0 255.255.255.0 log 2 
access-list corpdcn permit ip host 10.248.61.12 192.168.130.0 255.255.255.0 log 2 
access-list corpdcn permit ip host 10.248.61.60 192.168.0.0 255.255.0.0 log 2 
access-list corpdcn permit tcp host 10.248.44.62 host 192.168.131.98 eq 18184

I did not understand the correction you got back with..."typo 192.168.240.129* and 192.168.240.132*"

Thanks in advance,

Kris...

krmenon · ‎08-06-2013

Can someone please help me throw more light into this?...

Thanks & Rgds

Kris...

pankaj29in · ‎08-06-2013

HI,

Please follow below link to configure the same.

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_rules.pdf

Cheers!!

Pankaj

Please rate helpful answers which is better than saying "Thank You".