cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1086
Views
0
Helpful
5
Replies

PIX Global and NAT statements convert to ASA

ubergeek1
Level 1
Level 1

I am tasked with replacing a old PIX with a ASA 5505. All was fine until I got to the GLOBAL and NAT commands, when the ASA stated that these are deprecated. After reading documentation online, I unfortunately cannot wrap my head around this.  The commands I need to covert are:

global (outside) 1 192.168.5.5

global (outside) 2 interface

nat (inside) 1 172.16.32.0 255.255.255.0 0 0

nat (inside) 1 172.16.35.0 255.255.255.0 0 0

nat (inside) 0 0.0.0.0. 0.0.0.0 0 0

How can I convert these for the ASA? 

Thanks

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Are you sure that is the whole configuration? Its just that I see an "global" configuration with ID 2 with no matching "nat" statement? Though naturally it can be some unused old configuration left over.

global (outside) 1 192.168.5.5

nat (inside) 1 172.16.32.0 255.255.255.0 0 0

nat (inside) 1 172.16.35.0 255.255.255.0 0 0

You can convert the above configuration using this format

object-group network DEFAULT-PAT-SOURCE

network-object 172.16.32.0 255.255.255.0

network-object 172.16.35.0 255.255.255.0

object network PAT-IP

host 192.168.5.5

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE PAT-IP

Do you have some other device holding the public IP address in front of the ASA since the above "global" has an private IP address? And considering that the ID 2 rule didnt have any source address specifications.

I've also got to admit that I have never used the below configuration myself

nat (inside) 0 0.0.0.0. 0.0.0.0 0 0

Which to my understanding is regular Identity NAT. If I understood Ciscos logic with that NAT configuration, it should not override the Dynamic PAT configurations originally on the PIX.

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Naturally ask more if needed.

- Jouni

Thanks for the reply. Here is the entire config. What else do I need to change?

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password k4HlcGX2lC1ypFOm encrypted

passwd y5Nu/Nt1/5dK8Iuf encrypted

hostname fw

clock timezone EST -5

clock summer-time ESD recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list permit-in permit icmp any any echo

access-list permit-in permit icmp any any echo-reply

access-list permit-in permit ip host 192.168.8.10 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.11 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.12 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.13 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.24 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.7 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.22 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.34 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.25 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.45 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.46 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.47 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.48 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.49 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.50 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.51 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.52 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.154 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.17 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.41 192.168.5.0 255.255.255.0

access-list permit-in permit tcp 192.168.7.0 255.255.255.0 host 192.168.5.36 eq https

access-list permit-in permit ip host 192.168.8.150 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.148 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.149 192.168.5.0 255.255.255.0

pager lines 24

logging console debugging

logging monitor debugging

mtu outside 1500

mtu inside 1500

ip address outside 192.168.15.5 255.255.255.252

ip address inside 192.168.5.5 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 192.168.5.251

global (outside) 2 interface

nat (inside) 1 172.16.32.0 255.255.255.0 0 0

nat (inside) 1 172.16.35.0 255.255.255.0 0 0

nat (inside) 1 172.16.36.0 255.255.255.0 0 0

nat (inside) 1 172.16.37.0 255.255.255.0 0 0

nat (inside) 1 172.16.38.0 255.255.255.0 0 0

nat (inside) 1 172.16.39.0 255.255.255.0 0 0

nat (inside) 1 172.16.40.0 255.255.255.0 0 0

nat (inside) 1 172.16.45.0 255.255.255.0 0 0

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.5.90 192.168.5.90 netmask 255.255.255.255 0 0

access-group permit-in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.15.5 1

route inside 172.16.32.0 255.255.255.0 192.168.5.25 1

route inside 172.16.35.0 255.255.255.0 192.168.5.25 1

route inside 172.16.36.0 255.255.255.0 192.168.5.25 1

route inside 172.16.37.0 255.255.255.0 192.168.5.25 1

route inside 172.16.38.0 255.255.255.0 192.168.5.25 1

route inside 172.16.39.0 255.255.255.0 192.168.5.25 1

route inside 172.16.40.0 255.255.255.0 192.168.5.25 1

route inside 172.16.45.0 255.255.255.0 192.168.5.25 1

route inside 192.168.205.0 255.255.255.0 192.168.5.25 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.5.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:d825bff50561364fb1ade3f2547c77ea

: end

Thanks for your help on this!

What would I have to change in the config above to make this work on a ASA that is version 9 IOS?  Thanks

Hi,

So this is your NAT configuration

global (outside) 1 192.168.5.251

global (outside) 2 interface

nat (inside) 1 172.16.32.0 255.255.255.0 0 0

nat (inside) 1 172.16.35.0 255.255.255.0 0 0

nat (inside) 1 172.16.36.0 255.255.255.0 0 0

nat (inside) 1 172.16.37.0 255.255.255.0 0 0

nat (inside) 1 172.16.38.0 255.255.255.0 0 0

nat (inside) 1 172.16.39.0 255.255.255.0 0 0

nat (inside) 1 172.16.40.0 255.255.255.0 0 0

nat (inside) 1 172.16.45.0 255.255.255.0 0 0

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.5.90 192.168.5.90 netmask 255.255.255.255 0 0

To me it seems that the following configurations wont have to be converted to anything as they dont do any kind of translation to the original address or they are missing some related configurations.

static (inside,outside) 192.168.5.90 192.168.5.90 netmask 255.255.255.255 0 0

global (outside) 2 interface

You should be able to do the same in the new software with the below configuration

object-group network DEFAULT-PAT-SOURCE

network-object 172.16.32.0 255.255.255.0

network-object 172.16.35.0 255.255.255.0

network-object 172.16.36.0 255.255.255.0

network-object 172.16.37.0 255.255.255.0

network-object 172.16.38.0 255.255.255.0

network-object 172.16.39.0 255.255.255.0

network-object 172.16.40.0 255.255.255.0

network-object 172.16.45.0 255.255.255.0

object network PAT-IP

host 192.168.5.251

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE PAT-IP

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

- Jouni

I use the same thread as I encounter quite the same issue. I have to convert the NAT/Global Config from a PIX to an ASA, and I'm not sure about the next config.

 

global (outside-sftp) 1 172.31.129.26
global (inside) 1 192.168.1.14

 

nat (DMZ-BRD) 1 access-list NAT-monitorizare tcp 500 1000
nat (DMZ-BRD) 1 10.55.0.0 255.255.0.0 tcp 500 1000

 

How the config on ASA should be?

 

Any help will be much appreciatted. 

 

Thank you in advance

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: