08-02-2013 09:47 PM - edited 03-11-2019 07:21 PM
Hello all,
I am trying to convert the configurations of PIX 6.3.x to ASA software version 8.6.
I notice that version 8.6 has a different NAT behaviour and configuration from its previous ASA versions.
I have already used the tool and converted the configurations. Can you please advise if NAT was converted fine and if it’s ok to remove nat0 and identity nat on the new ASA 8.6?
Thanks in advance,
Kris...
08-03-2013 01:15 AM
nat0 is done with "twice NAT" on ASA v8.3+. Here is the config-guide:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_rules.html
If you need any more help, then just post your NAT-config.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-03-2013 02:12 AM
Hello Karsten, Appreciate your quick response.... Here is the NAT-config as requested...please let me know if you need more. global (outside) 1 10.248.46.248 global (outside) 2 10.248.46.249 global (outside) 3 10.248.46.252 nat (inside) 3 access-list cacti-NAT 0 0 nat (inside) 0 0.0.0.0 0.0.0.0 0 0 nat (dcndmz) 0 access-list dmznated nat (dcndmz) 1 192.168.240.129 255.255.255.255 0 0 nat (dcndmz) 2 192.168.240.132 255.255.255.255 0 0 nat (corp2dcndmz) 0 0.0.0.0 0.0.0.0 0 0 nat (corpdmz) 0 0.0.0.0 0.0.0.0 0 0
Rgds,
Kris...
08-03-2013 02:39 AM
HI,
nat (dcndmz) 1 192.168.240.129 255.255.255.255 0 0global (outside) 1 10.248.46.248will get replaced byObject Network IP_192.168.240.129
host 192.168.240.129
nat (inside, outside) static 10.248.46.248
nat (dcndmz) 2 192.168.240.132 255.255.255.255 0 0global (outside) 2 10.248.46.249will get replaced by
Object Network IP_192.168.240.132
host 192.168.240.132
nat (inside, outside) static 10.248.46.249
For Nat 0 you can use twice Nat as per below example.
nat(inside,outside) static source IP_192.168.240.129 IP_192.168.240.129 destination static IP_10.248.46.248 IP_10.248.46.248
Let me know if you need anything else or else kinldy post 3rd Nat information i.e. access-list.
Cheers!!
Pankaj
08-03-2013 02:54 AM
Hello Pankaj,
Thanks for the inputs... I will accept the offier for access list...so here it goes..
access-list corpdcn deny tcp host 10.248.40.230 any access-list corpdcn permit udp object-group corp-ntp-servers object-group dcn-ntp-servers eq ntp access-list corpdcn permit tcp object-group retail-stores host 192.168.240.197 eq 135 access-list corpdcn permit ip host 10.248.61.14 192.168.2.0 255.255.255.0 log 2 access-list corpdcn permit ip host 10.248.61.12 192.168.2.0 255.255.255.0 log 2 access-list corpdcn permit tcp 10.248.0.0 255.248.0.0 object-group datastagesrvrs object-group datastage access-list corpdcn permit ip host 10.248.61.14 192.168.130.0 255.255.255.0 log 2 access-list corpdcn permit ip host 10.248.61.12 192.168.130.0 255.255.255.0 log 2 access-list corpdcn permit ip host 10.248.61.60 192.168.0.0 255.255.0.0 log 2 access-list corpdcn permit tcp host 10.248.44.62 host 192.168.131.98 eq 18184
I did not understand the correction you got back with..."typo 192.168.240.129* and 192.168.240.132*"
Thanks in advance,
Kris...
08-06-2013 01:20 AM
Can someone please help me throw more light into this?...
Thanks & Rgds
Kris...
08-06-2013 02:24 AM
HI,
Please follow below link to configure the same.
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_rules.pdf
Cheers!!
Pankaj
Please rate helpful answers which is better than saying "Thank You".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide