10-09-2012 03:13 PM - edited 03-11-2019 05:06 PM
Is there a good discussion and example out there that explains how to convert your PIX configs to an ASA 8.X?
I'm stuck on how to convert the following to our ASA environment:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (VPN) 1 10.21.1.0 255.255.255.0 0 0
static (inside,DMZ) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0
static (inside,VPN) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0
static (inside,VPN) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
Any suggestions would be greatly appreciated.
--Steve
10-09-2012 03:36 PM
Hi,
If you are using ASA with a software 8.2 or OLDER, you can just copy paste the configurations as is to the ASA
However, if your ASA is using 8.3 or NEWER you will need to convert the NAT to new format.
If the above configurations really are your only NAT configurations they are pretty simple to convert even to the new format
Let me now what software your ASA will be using
- Jouni
10-09-2012 03:42 PM
Jouni,
We're going from a PIX 6.3 to an ASA running 8.4.
-Steve
10-09-2012 03:55 PM
Hi,
Ok, so looking at your configuration it would seem to me the old/current ones are meant for this:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (VPN) 1 10.21.1.0 255.255.255.0 0 0
static (inside,DMZ) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0
static (inside,VPN) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0
static (inside,VPN) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
By the way, does the DMZ really not have any NAT configurations towards Internet?
So if you want to convert those from 6.3 to 8.4 the new configurations would be the following
PAT for VPN Internet traffic
object-group network PAT-VPN-SOURCE
network-object 10.21.1.0 255.255.255.0
nat(VPN,outside) after-auto source dynamic PAT-VPN-SOURCE interface
PAT for INSIDE Internet traffic
nat (inside,outside) after-auto source dynamic any interface
All the rest of the NAT configurations (4 static commands) can be left out as the default behaviour for new ASA software is to pass the traffic unNATed through the ASA IF they dont have a specific NAT rule.
- Jouni
10-11-2012 09:16 AM
Jouni,
Thanks for the info...will start on these shortly. As for your question...
By the way, does the DMZ really not have any NAT configurations towards Internet?
The DMZ should have NAT towards the Internet...how do I do that?
static (outside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0 ??
~Steve
10-11-2012 09:46 AM
Hi,
The command in your earlier post wouldnt handle it and it also wouldnt work in the new software. 8.4 software has (as you can see) a very different format for NAT configurations
There is no longer "global/nat" or "static" commands. Theres only "nat" command
If you want to PAT all DMZ traffic headed to Internet with the outside interfaces public IP address, you can add the following configuration
nat (DMZ,outside) after-auto source dynamic any interface
If you want to handle the PAT translation towards outside for all the interfaces (inside,DMZ and VPN) you can just simply configure the following NAT
nat(any,outside) after-auto source dynamic any interface
Naturally in this case you leave out the other PAT configurations as you wont need them.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide