06-13-2013 09:11 AM - edited 03-11-2019 06:57 PM
hello to all members:-
can any body help me to convert the below config according to new 8.4 + ios
static (MGMTSOFTWARE,DMZ) 10.160.129.97 access-list MGMTSOFTWARE_nat_static
access-list MGMTSOFTWARE_access_in extended permit object-group Legator_Networker_Backup host 192.168.3.33 host 10.0.1.12
object-group service Legator_Networker_Backup
description Ports for Legator Networker Backup
service-object tcp range 7937 9936
service-object tcp eq rsh
service-object udp eq netbios-ns
Thanks a lot
Solved! Go to Solution.
06-13-2013 09:23 AM
Hi,
It would be something along these lines
object network MAPPED
host 10.160.129.97
object network REAL
host 192.168.3.33
object network DESTINATION
host 10.0.1.12
object service TCP-RANGE-7937-9936
service tcp destination range 7937 9936
object service TCP-RSH
service tcp destination eq rsh
object service UDP-NETBIOS-NS
service udp destination eq netbios-ns
nat (MGMTSOFTWARE,DMZ) source static REAL MAPPED destination static DESTINATION DESTINATION service TCP-RSH TCP-RSH
nat (MGMTSOFTWARE,DMZ) source static REAL MAPPED destination static DESTINATION DESTINATION service UDP-NETBIOS-NS UDP-NETBIOS-NS
nat (MGMTSOFTWARE,DMZ) source static REAL MAPPED destination static DESTINATION DESTINATION service TCP-RANGE-7937-9936 TCP-RANGE-7937-9936
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question
Ask more if needed
- Jouni
06-13-2013 01:28 PM
Hi,
You could probably use these configurations
This first one should handle the normal "nat" and "global" configuration
object-group INSIDE-PAT-SOURCE
network-object 10.0.0.0 255.255.255.0
network-object 10.0.1.0 255.255.255.0
network-object 10.0.3.0 255.255.255.0
network-object 10.0.6.0 255.255.255.0
nat (inside,outside) after-auto source dynamic INSIDE-PAT-SOURCE interface
The below configuration should handle the "nat" and "global" configuration using the "access-list"
object-group INSIDE-POLICY-PAT-SOURCE
network-object host 10.0.9.188
network-object host 10.0.9.20
object service WWW
service tcp destination eq www
object service SSH
service tcp destination eq ssh
object service FTP
service tcp destination eq ftp
object service HTTPS
service tcp destination eq https
object service HTTP-8080
service tcp destination eq 8080
nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service WWW WWW
nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service SSH SSH
nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service FTP FTP
nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service HTTPS HTTPS
nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service HTTP-8080 HTTP-8080
Hope this helps
Please remember to mark a reply as the correct answer if it has answered your question.
Ask more if needed
- Jouni
06-14-2013 08:05 AM
Hi,
To me seems you have several NAT configurations that use the ID number 1? Are these all from the same ASA 8.2 firewall?
object network FTP-POLICY-PAT
host 10.0.9.28
object network FTP-POLICY-PAT-DEST
host x.x.x.x
nat (inside,outside) after-auto source dynamic FTP-POLICY-PAT interface destination static FTP-POLICY-PAT-DEST FTP-POLICY-PAT-DEST service FTP FTP
Remember that the NAT is different between these 2 softwares so I cant guarantee that the above NAT configuration wouldnt be overriden by something you have already configured.
If there is something causing problem for this rule to work then we can naturally have a look at your NAT configurations
Hope this helps
- Jouni
06-13-2013 09:23 AM
Hi,
It would be something along these lines
object network MAPPED
host 10.160.129.97
object network REAL
host 192.168.3.33
object network DESTINATION
host 10.0.1.12
object service TCP-RANGE-7937-9936
service tcp destination range 7937 9936
object service TCP-RSH
service tcp destination eq rsh
object service UDP-NETBIOS-NS
service udp destination eq netbios-ns
nat (MGMTSOFTWARE,DMZ) source static REAL MAPPED destination static DESTINATION DESTINATION service TCP-RSH TCP-RSH
nat (MGMTSOFTWARE,DMZ) source static REAL MAPPED destination static DESTINATION DESTINATION service UDP-NETBIOS-NS UDP-NETBIOS-NS
nat (MGMTSOFTWARE,DMZ) source static REAL MAPPED destination static DESTINATION DESTINATION service TCP-RANGE-7937-9936 TCP-RANGE-7937-9936
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question
Ask more if needed
- Jouni
06-13-2013 09:36 AM
Hi,
Actually, like with your other post, the ACLs given in the original NAT configuration and the actual ACL given dont match. They are different ACLs?
- Jouni
06-13-2013 01:02 PM
i need your help again stuck again. i am useing note pod no asdm.....:)
need to convert this config
nat (Inside) 1 access-list Inside_nat_outbound
nat (Inside) 1 10.0.0.0 255.255.255.0
nat (Inside) 1 10.0.1.0 255.255.255.0
nat (Inside) 1 10.0.3.0 255.255.255.0
nat (Inside) 1 10.0.6.0 255.255.255.0
global (outside) 1 interface
access-list Inside_nat_outbound extended permit tcp object-group DM_INLINE_NETWORK_78 any object-group DM_INLINE_TCP_30
i tried to config but did not understand how to move forward
bject network DM_INLINE_NETWORK_78
host 10.0.9.188
host 10.0.9.20
object service DM_INLINE_TCP_30_tcp-new-0
service tcp destination eq 8080
object service DM_INLINE_TCP_30_tcp-new-1
service tcp destination eq https
object service DM_INLINE_TCP_30_tcp-new-2
service tcp destination eq ftp
object service DM_INLINE_TCP_30_tcp-new-3
service tcp destination eq ssh
object service DM_INLINE_TCP_30_tcp-new-4
service tcp destination eq www
object-group service DM_INLINE_TCP_30_tcp-new
service-object object DM_INLINE_TCP_30_tcp-new-0
service-object object DM_INLINE_TCP_30_tcp-new-1
service-object object DM_INLINE_TCP_30_tcp-new-2
service-object object DM_INLINE_TCP_30_tcp-new-3
service-object object DM_INLINE_TCP_30_tcp-new-4
object network inside_Network
subnet 10.0.0.0 255.255.255.0
subnet 10.0.1.0 255.255.255.0
subnet 10.0.3.0 255.255.255.0
subnet 10.0.6.0 255.255.255.0
nat (inside,outside) dynamic interface
Thanks a lot for your help
06-13-2013 01:10 PM
Hi,
I would need to know the contents of
show run object-group id DM_INLINE_NETWORK_78
show run object-group id DM_INLINE_TCP_30
- Jouni
06-13-2013 01:16 PM
sorry i forgot to post now it below
object-group network DM_INLINE_NETWORK_78
network-object host 10.0.9.188
network-object host 10.0.9.20
object-group service DM_INLINE_TCP_30 tcp
port-object eq www
port-object eq ssh
port-object eq ftp
port-object eq https
port-object eq 8080
06-13-2013 01:28 PM
Hi,
You could probably use these configurations
This first one should handle the normal "nat" and "global" configuration
object-group INSIDE-PAT-SOURCE
network-object 10.0.0.0 255.255.255.0
network-object 10.0.1.0 255.255.255.0
network-object 10.0.3.0 255.255.255.0
network-object 10.0.6.0 255.255.255.0
nat (inside,outside) after-auto source dynamic INSIDE-PAT-SOURCE interface
The below configuration should handle the "nat" and "global" configuration using the "access-list"
object-group INSIDE-POLICY-PAT-SOURCE
network-object host 10.0.9.188
network-object host 10.0.9.20
object service WWW
service tcp destination eq www
object service SSH
service tcp destination eq ssh
object service FTP
service tcp destination eq ftp
object service HTTPS
service tcp destination eq https
object service HTTP-8080
service tcp destination eq 8080
nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service WWW WWW
nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service SSH SSH
nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service FTP FTP
nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service HTTPS HTTPS
nat (inside,outside) after-auto source dynamic INSIDE-POLICY-PAT-SOURCE interface service HTTP-8080 HTTP-8080
Hope this helps
Please remember to mark a reply as the correct answer if it has answered your question.
Ask more if needed
- Jouni
06-14-2013 07:56 AM
Hello jouni:-
i need your help again
old config
nat (Inside) 1 access-list Inside_nat_outbound
global (Outside) 1 interface
access-list Inside_nat_outbound extended permit tcp host 10.0.9.28 host x.x.x.x eq ftp
new-config
object service ftp-10.0.9.28
service tcp destination eq ftp
object network obj-X.x.x.x
host x.x.x.x
object network obj-10.0.9.28
host 10.0.9.28
nat (inside,outside) after-auto source dynamic
kindly complete the nat command for me its soo confusing..
Thanks in advance..
06-14-2013 08:05 AM
Hi,
To me seems you have several NAT configurations that use the ID number 1? Are these all from the same ASA 8.2 firewall?
object network FTP-POLICY-PAT
host 10.0.9.28
object network FTP-POLICY-PAT-DEST
host x.x.x.x
nat (inside,outside) after-auto source dynamic FTP-POLICY-PAT interface destination static FTP-POLICY-PAT-DEST FTP-POLICY-PAT-DEST service FTP FTP
Remember that the NAT is different between these 2 softwares so I cant guarantee that the above NAT configuration wouldnt be overriden by something you have already configured.
If there is something causing problem for this rule to work then we can naturally have a look at your NAT configurations
Hope this helps
- Jouni
06-14-2013 08:19 AM
Thanks for your prompt reply u make my life easy
yes its the same asa 8.2 their are so many more access-list statments
Thanks a lot again
06-14-2013 08:30 AM
Hi,
Removed the IP address. (EDIT: Its still in your posts ACL though?)
Glad to help with the configurations. Hopefully the configurations provided are working for you. As I dont see the whole configuration I cant take everything into consideration.
Please remember to mark a reply as the correct answer if it has answered your question.
And naturally ask more if needed
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide