Re: PIX to ASA 5506 NAT

Damiens · ‎02-17-2019

Hi all,

I am in the process of converting an old PIX firewall that sits inside a DMZ and allows a tunnel to another Router and on to the internal network. The current Pix config is below and the ultimate destination is 192.168.nn.2 from a specific external connecting router 152.91.nn.nn. As you would know, the old NAT commands no longer work. Could someone point me in the right direction to convert it to suit the ASA5506.

Thanks

Damien

access-list acl_outside permit tcp host 152.91.nn.nn host 192.168.nnn.2 eq lotusnotes
access-list acl_outside permit tcp host 152.91.nn.nn host 192.168.nnn.2 eq lotusnotes

global (outside) 1 interface
nat (inside) 1 172.16.nnn.0 255.255.255.0 0 0
nat (inside) 1 192.168.nnn.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.nn.2 192.168.nnn.2 netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group acl_inside in interface inside

Kasun Bandara · ‎02-17-2019

Hi,

this will give you exact answer and clear guide to you.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Mohammed al Baqari · ‎02-17-2019

ACLs will be same.

For nat something like this will do

object network obj-192.168.n.2
host 192.168.n.2
nat (inside,outside) static obj-192.168.n.2 obj-192.168.n.2
!
object network any
network 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface