cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1665
Views
0
Helpful
6
Replies

nat0 and identity nat on ASA 8.6

krmenon
Level 1
Level 1

Hello all,

I am trying to convert the configurations of PIX 6.3.x to ASA software version 8.6.

I notice that version 8.6 has a different NAT behaviour and configuration from its previous ASA versions.

I have already used the tool and converted the configurations. Can you please advise if NAT was converted fine and if it’s ok to remove nat0 and identity nat on the new ASA 8.6?

Thanks in advance,

Kris...

6 Replies 6

nat0 is done with "twice NAT" on ASA v8.3+. Here is the config-guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_rules.html

If you need any more help, then just post your NAT-config.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hello Karsten,

Appreciate your quick response....

Here is the NAT-config as requested...please let me know if you need more.

global (outside) 1 10.248.46.248
global (outside) 2 10.248.46.249
global (outside) 3 10.248.46.252
nat (inside) 3 access-list cacti-NAT 0 0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (dcndmz) 0 access-list dmznated
nat (dcndmz) 1 192.168.240.129 255.255.255.255 0 0
nat (dcndmz) 2 192.168.240.132 255.255.255.255 0 0
nat (corp2dcndmz) 0 0.0.0.0 0.0.0.0 0 0
nat (corpdmz) 0 0.0.0.0 0.0.0.0 0 0

Rgds,

Kris...

HI,

nat (dcndmz) 1 192.168.240.129 255.255.255.255 0 0
global (outside) 1 10.248.46.248
will get replaced by

Object Network IP_192.168.240.129

host 192.168.240.129

nat (inside, outside) static 10.248.46.248

nat (dcndmz) 2 192.168.240.132 255.255.255.255 0 0
global (outside) 2 10.248.46.249

will get replaced by

Object Network IP_192.168.240.132

host 192.168.240.132

nat (inside, outside) static 10.248.46.249


For Nat 0 you can use twice Nat as per below example.

nat(inside,outside) static source IP_192.168.240.129  IP_192.168.240.129 destination static IP_10.248.46.248 IP_10.248.46.248

Let me know if you need anything else or else kinldy post 3rd Nat information i.e. access-list.

Cheers!!

Pankaj

Hello Pankaj,

Thanks for the inputs... I will accept the offier for access list...so here it goes..

access-list corpdcn deny tcp host 10.248.40.230 any 
access-list corpdcn permit udp object-group corp-ntp-servers object-group dcn-ntp-servers eq ntp 
access-list corpdcn permit tcp object-group retail-stores host 192.168.240.197 eq 135 
access-list corpdcn permit ip host 10.248.61.14 192.168.2.0 255.255.255.0 log 2 
access-list corpdcn permit ip host 10.248.61.12 192.168.2.0 255.255.255.0 log 2 
access-list corpdcn permit tcp 10.248.0.0 255.248.0.0 object-group datastagesrvrs object-group datastage 
access-list corpdcn permit ip host 10.248.61.14 192.168.130.0 255.255.255.0 log 2 
access-list corpdcn permit ip host 10.248.61.12 192.168.130.0 255.255.255.0 log 2 
access-list corpdcn permit ip host 10.248.61.60 192.168.0.0 255.255.0.0 log 2 
access-list corpdcn permit tcp host 10.248.44.62 host 192.168.131.98 eq 18184 

I did not understand the correction you got back with..."typo 192.168.240.129* and 192.168.240.132*"

Thanks in advance,

Kris...

Can someone please help me throw more light into this?...

Thanks & Rgds

Kris...

HI,

Please follow below link to configure the same.

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_rules.pdf

Cheers!!

Pankaj

Please rate helpful answers which is better than saying "Thank You".

Review Cisco Networking for a $25 gift card