I have to change an old NAT config into the 8.4(2) version. i read Cisco migration Docs n everything but still im kind of confused. it'd be nice if someone can help me with this example:
nat (vlan12) 0 access-list No_Nat
access-list No_Nat extended permit ip any any
access-list allowany extended permit ip any any
access-group allowany in interface outside
Thanx a milion...
To be honest I have never configured NAT in such a way even on the older software. I have always defined atleast the source address/network and usually the destination too.
I would personally probably configure the networks behind interface "vlan12" under and "object-group network" and then use that in a NAT configurations
object-group network VLAN12-NETWORKS
network-object 10.10.12.0 255.255.255.0
network-object 10.10.112.0 255.255.255.0
network-object 10.10.212.0 255.255.255.0
nat (vlan12,any) source static VLAN12-NETWORKS VLAN12-NETWORKS
One option I thought was also
nat (vlan12,any) source static any any
But I tend to avoid using "any" in NAT configurations.
I am not sure in what kind of network this original NAT configurations is in use. Are there perpaps only public IP addresses used behind this interface? Or is this perhaps some internal firewall that is not meant to perform private to public NAT for the networks?
thank you for ur reply, i got the concept of modular configuration and object network but im not sure how to use it for this any any situation...
is this nat (vlan12,any) source static any any
there are public addresses behind the interfaces, so it actually is not doing NAT. i've been asked to migrate the exact same config to 8.4 and the more i read on Cisco.com the more i get confused.
There is no more "nat-control"
On a very basic firewall setup you would currently only configure Dynamic PAT/NAT towards the public network. No other NAT would be needed for example between your local interface if you didnt specifically want to NAT the addresses.
The idea by using the "object-group network" to group all the networks behind "vlan12" was simply to try to keep the NAT operation the same wihtout using the "any" parameter.
I did write a NAT 8.3+ document here on the CSC. Though its still work in progress
So, what you basically mean is that while in the older version it needed the above configuration to allow Any traffic to flow freely (without NAT) between the interfaces, in version 8.3+ its not necessary to add anything, just leave it as is and it would work just fine! did I get it right?
Thanks for the info again!
In general if you had a setup where the firewall was ONLY doing access control and NAT was not required at all then you could leave the ASA in the new software wihtout any NAT configurations.
But usually the situation is that there is some NAT configurations that need to be applied as firewalls are typically at the edge of the internal and external network.
I tend to first go through the entire NAT configuration and operation of the firewall that is about to be migrated. Then I build the new NAT rules on the basis of that.
Usually I first convert the Dynamic PAT/NAT and Static NAT/PAT rules and leave the special Policy NAT or NAT0 configurations last.
I am very hesitant to say that I am 100% sure the above configurations would handle your situation BUT it looks to me that it should do the same. As I said, I would rather be as specific as I can when building the NAT rules and avoid using "any" in the NAT configurations just to avoid any possible suprises with the NAT operation.
since there is nothing NAT specific in the old ios configuration. i guess its safe to go by the any any config.
its just the nat-control and a bunch of nat (vlanX) 0 access-list ... config. thats all
thanks for ur elaboration Jouni.
So it seems that the current firewall configuration has "nat-control" which basically means that there needs to be some NAT configuration for traffic passing the firewall.
Since all the NAT configurations are NAT0, it would seem that you might be able to leave out all NAT configurations from the new software version.
Please do remember to mark a reply as the correct answer if it answered your question and/or rate helpfull answers.
Feel free to ask more if needed