cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1222
Views
0
Helpful
10
Replies

need to convert old ASA 8.2 config to new 8.4

taurusadnan
Level 1
Level 1

hello to all members:-

               can any body help me to convert the below config according to new 8.4 + ios

static (MGMTSOFTWARE,DMZ) 10.160.129.97  access-list MGMTSOFTWARE_nat_static

access-list MGMTSOFTWARE_access_in extended permit object-group Legator_Networker_Backup host 192.168.3.33 host 10.0.1.12


object-group service Legator_Networker_Backup
description Ports for Legator Networker Backup
service-object tcp range 7937 9936
service-object tcp eq rsh
service-object udp eq netbios-ns

Thanks a lot

3 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

It would be something along these lines

object network MAPPED

host 10.160.129.97

object network REAL

host 192.168.3.33

object network DESTINATION

host 10.0.1.12

object service TCP-RANGE-7937-9936

service tcp destination range 7937 9936

object service TCP-RSH

service tcp destination eq rsh

object service UDP-NETBIOS-NS

service udp destination eq netbios-ns

nat (MGMTSOFTWARE,DMZ) source static REAL MAPPED destination static DESTINATION DESTINATION service TCP-RSH TCP-RSH

nat (MGMTSOFTWARE,DMZ) source static REAL MAPPED destination static DESTINATION DESTINATION service UDP-NETBIOS-NS UDP-NETBIOS-NS

nat (MGMTSOFTWARE,DMZ) source static REAL MAPPED destination static DESTINATION DESTINATION service TCP-RANGE-7937-9936 TCP-RANGE-7937-9936

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question

Ask more if needed

- Jouni

View solution in original post

Hi,

You could probably use these configurations

This first one should handle the normal "nat" and "global" configuration

object-group INSIDE-PAT-SOURCE

network-object 10.0.0.0 255.255.255.0

network-object 10.0.1.0 255.255.255.0

network-object 10.0.3.0 255.255.255.0

network-object 10.0.6.0 255.255.255.0

nat (inside,outside) after-auto source dynamic INSIDE-PAT-SOURCE interface

The below configuration should handle the "nat" and "global" configuration using the "access-list"

object-group INSIDE-POLICY-PAT-SOURCE

network-object host 10.0.9.188

network-object host 10.0.9.20

object service WWW

service tcp destination eq www

object service SSH

service tcp destination eq ssh

object service FTP

service tcp destination eq ftp

object service HTTPS

service tcp destination eq https

object service HTTP-8080

service tcp destination eq 8080

nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service WWW WWW

nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service SSH SSH

nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service FTP FTP

nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service HTTPS HTTPS

nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service HTTP-8080 HTTP-8080

Hope this helps

Please remember to mark a reply as the correct answer if it has answered your question.

Ask more if needed

- Jouni

View solution in original post

Hi,

To me seems you have several NAT configurations that use the ID number 1? Are these all from the same ASA 8.2 firewall?

object network FTP-POLICY-PAT

host 10.0.9.28

object network FTP-POLICY-PAT-DEST

host x.x.x.x

nat (inside,outside) after-auto source dynamic FTP-POLICY-PAT interface destination static FTP-POLICY-PAT-DEST FTP-POLICY-PAT-DEST service FTP FTP

Remember that the NAT is different between these 2 softwares so I cant guarantee that the above NAT configuration wouldnt be overriden by something you have already configured.

If there is something causing problem for this rule to work then we can naturally have a look at your NAT configurations

Hope this helps

- Jouni

View solution in original post

10 Replies 10

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

It would be something along these lines

object network MAPPED

host 10.160.129.97

object network REAL

host 192.168.3.33

object network DESTINATION

host 10.0.1.12

object service TCP-RANGE-7937-9936

service tcp destination range 7937 9936

object service TCP-RSH

service tcp destination eq rsh

object service UDP-NETBIOS-NS

service udp destination eq netbios-ns

nat (MGMTSOFTWARE,DMZ) source static REAL MAPPED destination static DESTINATION DESTINATION service TCP-RSH TCP-RSH

nat (MGMTSOFTWARE,DMZ) source static REAL MAPPED destination static DESTINATION DESTINATION service UDP-NETBIOS-NS UDP-NETBIOS-NS

nat (MGMTSOFTWARE,DMZ) source static REAL MAPPED destination static DESTINATION DESTINATION service TCP-RANGE-7937-9936 TCP-RANGE-7937-9936

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question

Ask more if needed

- Jouni

Hi,

Actually, like with your other post, the ACLs given in the original NAT configuration and the actual ACL given dont match. They are different ACLs?

- Jouni

i need your help again stuck again. i am useing note pod no asdm.....:)

need to convert this config

nat (Inside) 1 access-list Inside_nat_outbound

nat (Inside) 1 10.0.0.0 255.255.255.0

nat (Inside) 1 10.0.1.0 255.255.255.0

nat (Inside) 1 10.0.3.0 255.255.255.0

nat (Inside) 1 10.0.6.0 255.255.255.0

global (outside) 1 interface

access-list Inside_nat_outbound extended permit tcp object-group DM_INLINE_NETWORK_78 any object-group DM_INLINE_TCP_30

i tried to config but did not understand how to move forward

bject network DM_INLINE_NETWORK_78
host 10.0.9.188
host 10.0.9.20
object service DM_INLINE_TCP_30_tcp-new-0
service tcp destination eq 8080
object service DM_INLINE_TCP_30_tcp-new-1
service tcp destination eq https
object service DM_INLINE_TCP_30_tcp-new-2
service tcp destination eq ftp
object service DM_INLINE_TCP_30_tcp-new-3
service tcp destination eq ssh
object service DM_INLINE_TCP_30_tcp-new-4
service tcp destination eq www

object-group service DM_INLINE_TCP_30_tcp-new
service-object object DM_INLINE_TCP_30_tcp-new-0
service-object object DM_INLINE_TCP_30_tcp-new-1
service-object object DM_INLINE_TCP_30_tcp-new-2
service-object object DM_INLINE_TCP_30_tcp-new-3
service-object object DM_INLINE_TCP_30_tcp-new-4

object network inside_Network
subnet 10.0.0.0 255.255.255.0
subnet 10.0.1.0 255.255.255.0
subnet 10.0.3.0 255.255.255.0
subnet 10.0.6.0 255.255.255.0
nat (inside,outside) dynamic interface

Thanks a lot for your help

Hi,

I would need to know the contents of

show run object-group id DM_INLINE_NETWORK_78

show run object-group id DM_INLINE_TCP_30

- Jouni

sorry i forgot to post now it below

object-group network DM_INLINE_NETWORK_78

network-object host 10.0.9.188

network-object host 10.0.9.20

object-group service DM_INLINE_TCP_30 tcp

port-object eq www

port-object eq ssh

port-object eq ftp

port-object eq https

port-object eq 8080

Hi,

You could probably use these configurations

This first one should handle the normal "nat" and "global" configuration

object-group INSIDE-PAT-SOURCE

network-object 10.0.0.0 255.255.255.0

network-object 10.0.1.0 255.255.255.0

network-object 10.0.3.0 255.255.255.0

network-object 10.0.6.0 255.255.255.0

nat (inside,outside) after-auto source dynamic INSIDE-PAT-SOURCE interface

The below configuration should handle the "nat" and "global" configuration using the "access-list"

object-group INSIDE-POLICY-PAT-SOURCE

network-object host 10.0.9.188

network-object host 10.0.9.20

object service WWW

service tcp destination eq www

object service SSH

service tcp destination eq ssh

object service FTP

service tcp destination eq ftp

object service HTTPS

service tcp destination eq https

object service HTTP-8080

service tcp destination eq 8080

nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service WWW WWW

nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service SSH SSH

nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service FTP FTP

nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service HTTPS HTTPS

nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service HTTP-8080 HTTP-8080

Hope this helps

Please remember to mark a reply as the correct answer if it has answered your question.

Ask more if needed

- Jouni

Hello jouni:-

                i need your help again

old config

nat (Inside) 1 access-list Inside_nat_outbound
global (Outside) 1 interface
access-list Inside_nat_outbound extended permit tcp host 10.0.9.28 host x.x.x.x eq ftp

new-config

object service ftp-10.0.9.28
service tcp destination eq ftp

object network obj-X.x.x.x

host x.x.x.x

object network obj-10.0.9.28
host 10.0.9.28

nat (inside,outside) after-auto source dynamic

kindly complete the nat command for me its soo confusing..

Thanks in advance..

Hi,

To me seems you have several NAT configurations that use the ID number 1? Are these all from the same ASA 8.2 firewall?

object network FTP-POLICY-PAT

host 10.0.9.28

object network FTP-POLICY-PAT-DEST

host x.x.x.x

nat (inside,outside) after-auto source dynamic FTP-POLICY-PAT interface destination static FTP-POLICY-PAT-DEST FTP-POLICY-PAT-DEST service FTP FTP

Remember that the NAT is different between these 2 softwares so I cant guarantee that the above NAT configuration wouldnt be overriden by something you have already configured.

If there is something causing problem for this rule to work then we can naturally have a look at your NAT configurations

Hope this helps

- Jouni

Thanks for your prompt reply u make my life easy

yes its the same asa 8.2 their are so many more access-list statments

Thanks a lot again

Hi,

Removed the IP address. (EDIT: Its still in your posts ACL though?)

Glad to help with the configurations. Hopefully the configurations provided are working for you. As I dont see the whole configuration I cant take everything into consideration.

Please remember to mark a reply as the correct answer if it has answered your question.

And naturally ask more if needed

- Jouni

Review Cisco Networking for a $25 gift card