Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
5
Helpful
3
Replies

PIX to ASA conversion

mickyq
Level 1
Level 1

‎06-06-2017 01:35 AM - edited ‎03-12-2019 02:28 AM

Hi

Im manually converting PIX 8.2 config to ASA 9.1

The question I have is regarding static nats. eg:

static (outside,inside) 172.18.1.6 172.18.1.6 netmask 255.255.255.255

The old method was to basically no nat required traffic. I believe in the new ios this is not required. Can I leave out the config for all these static nats?

thanks

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-06-2017 02:36 AM

The convention of what order the interfaces are listed changed as of ASA 8.3+. That is why you see it reversed.

I tend to not use the auto-upgrade. I feel that a combination of third party tools and manual review gives a consistently better otucome. Have a look at the tools at tunnelsup.com. First check for unused objects, ACLs etc. and then remove them from your starting configuration.

https://www.tunnelsup.com/config-cleanup/

Then use the syntax conversion tool there.

https://www.tunnelsup.com/nat-converter/

As always, review the configuration to make sure you understand it. If I'm the one being called if anything goes wrong, I would much rather be prepared before that call comes. 

mickyq
Level 1
Level 1
In response to Marvin Rhoads

‎06-06-2017 04:59 AM

Thanks Marvin

I have used the nat converter but I wasnt aware of the config-cleanup. Ive manually removed 0 hit acls, names and groups. It might have been useful to have that earlier but thanks for the links.

The original 8.2 config has a lot of static no nats. I believe the new ios doesnt need these as it will only nat traffic that is configured for nat. everything else will pass through as it is.

I just wanted confirmation of my understanding. 

I suppose i could configure them and remove them if they have no hits. Its just that theres quite a few of them.

cheers

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mickyq

‎06-06-2017 05:19 AM

You're welcome.

You are correct about the ASA not auto-natting (unless it's configured to do so). That behavior replaced the old "nat control" in 8.2 and earlier.

We still usually end up having identity NAT (or twice NAT as it's sometimes called) to override a more general dynamic NAT statement that is often used as a catch all for networks where the inside is all RFC 1918 address and the outside is public.

But as long as that or any more general NAT statement doesn't cause it to behave differently, an ASA with 8.3+ will not automatically NAT between interfaces.

You can always check your logic with packet-tracer.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card