cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
753
Views
10
Helpful
7
Replies

Please help !!!

Rohit Mangotra
Level 1
Level 1

We were running Cisco ASA 5520 version 5.2 at the moment, and now we are upgrading to ASA 5525 X series version 8.6. Below is the sample code that I have attached, could anyone please tell me if I am doing this right? Thank you very much.

current version 5.1

global (outside) 2 202.190.70.80

global (dmz) 2 192.168.1.59

nat (inside) 2 172.16.2.0 255.255.255.252

nat (inside) 2 172.16.5.0 255.255.255.0

nat (inside) 2 172.16.10.0 255.255.255.0

nat (inside) 2 172.16.108.0 255.255.255.192

nat (inside) 2 172.16.108.64 255.255.255.192

nat (inside) 2 172.20.1.0 255.255.255.0

nat (inside) 2 172.30.1.0 255.255.255.0

nat (inside) 2 192.168.128.0 255.255.255.252

nat (inside) 2 192.168.129.0 255.255.255.252

nat (dmz) 2 192.168.1.0 255.255.255.0

------------------------------------------------------------------------------------------------

To new ASA version 8.6

nat (inside) 2 172.16.2.0 255.255.255.252

>> object network obj-172.16.2.0

   subnet 172.16.2.0 255.255.255.252

   nat (inside,outside) dynamic 202.190.70.80

   nat (inside,dmz) dynamic 192.168.1.59

nat (inside) 2 172.16.5.0 255.255.255.0

>> object network obj-172.16.5.0

   subnet 172.16.5.0 255.255.255.0

   nat (inside,outside) dynamic 202.190.70.80

   nat (inside,dmz) dynamic 192.168.1.59

nat (inside) 2 172.16.10.0 255.255.255.0

>> object network obj-172.16.10.0

   subnet 172.16.10.0 255.255.255.0

   nat (inside,outside) dynamic 202.190.70.80

   nat (inside,dmz) dynamic 192.168.1.59

nat (inside) 2 172.20.1.0 255.255.255.0

>> object network obj-172.20.1.0

   subnet 172.20.1.0 255.255.255.0

   nat (inside,outside) dynamic 202.190.70.80

   nat (inside,dmz) dynamic 192.168.1.59

nat (inside) 2 172.30.1.0 255.255.255.0

>> object network obj-172.30.1.0

   subnet 172.30.1.0 255.255.255.0

   nat (inside,outside) dynamic 202.190.70.80

   nat (inside,dmz) dynamic 192.168.1.59

nat (inside) 2 172.16.108.0 255.255.255.192

>> object network obj-172.16.108.0

   subnet 172.16.108.0 255.255.255.192

   nat (inside,outside) dynamic 202.190.70.80

   nat (inside,dmz) dynamic 192.168.1.59

nat (inside) 2 172.16.108.64 255.255.255.192

>> object network obj-172.16.108.64

   subnet 172.16.108.64 255.255.255.192

   nat (inside,outside) dynamic 202.190.70.80

   nat (inside,dmz) dynamic 192.168.1.59

nat (inside) 2 192.168.128.0 255.255.255.252

>> object network obj-192.168.128.0

   subnet 192.168.128.0 255.255.255.252

   nat (inside,outside) dynamic 202.190.70.80

   nat (inside,dmz) dynamic 192.168.1.59

nat (inside) 2 192.168.129.0 255.255.255.252

>> object network obj-192.168.129.0

   subnet 192.168.129.0 255.255.255.252

   nat (inside,outside) dynamic 202.190.70.80

   nat (inside,dmz) dynamic 192.168.1.59

nat (dmz) 2 192.168.1.0 255.255.255.0

>> object network obj-192.168.1.0

   subnet 192.168.1.0 255.255.255.0

   nat (dmz,outside) dynamic 202.190.70.80

   nat (dmz,dmz) dynamic 192.168.1.59

1 Accepted Solution

Accepted Solutions

Hi,

Yes, you could do it in the above way but in my opinion it just generates so much more configurations that it makes the configuration messy and harder to read.

The example I gave only generates 3 actual NAT configurations along with the couple of "object-group" and "object" and achieves all the same things.

The NAT configuration format that I use are basically Manual NAT while your examples are Auto NAT.

Manual NAT is by default Section 1, which means its matched first from all the NAT configurations. With an "after-auto" parameter in the configuration its moved to Section 3 which essentially lowers it to the very bottom priority when matching NAT rules/configurations.

The Auto NAT is always Section 2 which places it to the middle in terms of priority when matching NAT rules/configurations)

One big different with Auto NAT and Manual NAT is the fact that Manual NAT can NAT both the source and the destination address. That is why you are seeing parameters like "source dynamic".

There is some more information related to the new NAT on a document I wrote here on CSC

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

Please  do remember to mark a reply as the correct answer if it answered your question.

- Jouni

View solution in original post

7 Replies 7

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The first thing to notice is that you can only have a SINGLE "nat" statement under an "object network" so that configuration you propose wont work.

What you could try are the following

object-group network INSIDE-PAT-SOURCE

network-object 172.16.2.0 255.255.255.252

network-object 172.16.5.0 255.255.255.0

network-object 172.16.10.0 255.255.255.0

network-object 172.16.108.0 255.255.255.192

network-object 172.16.108.64 255.255.255.192

network-object 172.20.1.0 255.255.255.0

network-object 172.30.1.0 255.255.255.0

network-object 192.168.128.0 255.255.255.252

network-object 192.168.129.0 255.255.255.252

object network OUTSIDE-PAT-IP

host 202.190.70.80

object network DMZ-PAT-IP

host 192.168.1.59

nat (inside,outside) after-auto source dynamic INSIDE-PAT-SOURCE OUTSIDE-PAT-IP

nat (inside,dmz) after-auto source dynamic INSIDE-PAT-SOURCE DMZ-PAT-IP

The above configuration should handle Dynamic PAT from "inside" to "outside" and from "inside" to "dmz". Though I personally rather not configure any dynamic NAT/PAT between my local interfaces but I assume you have some reason for it, perhaps related to routing behind "dmz"

object-group network DMZ-PAT-SOURCE

network-object 192.168.1.0 255.255.255.0

nat (dmz,outside) after-auto source dynamic DMZ-PAT-SOURCE OUTSIDE-PAT-IP

The above configuration should handle Dynamic PAT from "dmz" to "outside".

Hope this helps

Please  do remember to mark a reply as the correct answer if it answered your question.

- Jouni

Thanks a lot Jouni for the quick reply. Based on your suggestion that we can not use more than one NAT statement under Object Network. Can we do the following way?

nat (inside) 2 172.16.2.0 255.255.255.252

>> object network obj-172.16.2.0

   subnet 172.16.2.0 255.255.255.252

   nat (inside,outside) dynamic 202.190.70.80

   object network obj-172.16.2.0-01

   subnet 172.16.2.0 255.255.255.252

   nat (inside,dmz) dynamic 192.168.1.59

Furthermore, I am not familiar with after-auto source  dynamic command yet. I will do bit more reading on this one. However, the way you suggest seems straight forward and easy to follow.

Thank You,

Regards

Rohit.

Hi,

Yes, you could do it in the above way but in my opinion it just generates so much more configurations that it makes the configuration messy and harder to read.

The example I gave only generates 3 actual NAT configurations along with the couple of "object-group" and "object" and achieves all the same things.

The NAT configuration format that I use are basically Manual NAT while your examples are Auto NAT.

Manual NAT is by default Section 1, which means its matched first from all the NAT configurations. With an "after-auto" parameter in the configuration its moved to Section 3 which essentially lowers it to the very bottom priority when matching NAT rules/configurations.

The Auto NAT is always Section 2 which places it to the middle in terms of priority when matching NAT rules/configurations)

One big different with Auto NAT and Manual NAT is the fact that Manual NAT can NAT both the source and the destination address. That is why you are seeing parameters like "source dynamic".

There is some more information related to the new NAT on a document I wrote here on CSC

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

Please  do remember to mark a reply as the correct answer if it answered your question.

- Jouni

Thanks a lot Jouni for quick reply. I think I need to read a bit more on this.

Hi Jouni,

Just one more question I want to confirm:

Currently, we have the VPN concentrator behind ASA 5.1. As mentioned, we are going to upgrade to version 8.6. Could you please have a look at the following static NAT transformation if it is correct or not.

interface GigabitEthernet0/2.31

vlan 31

nameif vpn_private

security-level 75

ip address 172.31.0.1 255.255.255.240

!

interface GigabitEthernet0/2.67

vlan 67

nameif vpn_public

security-level 75

ip address a.b.c.177 255.255.255.240

!

1) static (dmz,vpn_private) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

2) static (dmz,vpn_public) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

3) static (inside,vpn_private) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

4) static (inside,vpn_public) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

5) static (vpn_private,inside) 172.31.0.0 172.31.0.0 netmask 255.255.255.0

6) static (vpn_public,outside) a.b.c.176 a.b.c.176 netmask 255.255.255.240

7) static (vpn_public,inside) a.b.c.176 a.b.c.176 netmask 255.255.255.240

Change to

1) object network obj-192.168.1.0

  subnet 192.168.1.0 255.255.255.0

  nat (dmz,vpn_private) static obj-192.168.1.0

2) object network obj-192.168.1.0

  subnet 192.168.1.0 255.255.255.0

  nat (dmz,vpn_public) static obj-192.168.1.0

3) object network obj-172.16.0.0

  subnet 172.16.0.0 255.255.0.0

  nat (inside,vpn_private) static obj-172.16.0.0

4) object network obj-172.16.0.0

  subnet 172.16.0.0 255.255.0.0

  nat (inside,vpn_public) static obj-172.16.0.0

5) object network obj-172.31.0.0

  subnet 172.31.0.0 255.255.0.0

  nat (vpn_private,inside) static obj-172.31.0.0

6) object network obj-a.b.c.176

  subnet a.b.c.176 255.255.255.240

  nat (vpn_public,outside) static obj-a.b.c.176

7) object network obj-a.b.c.176

  subnet a.b.c.176 255.255.255.240

  nat (vpn_public,inside) static obj-a.b.c.176

Thanks a lot for all your help.

Kind Regards

Rohit

Hi,

All of those configurations would seem to be Static Identity NAT. Essentially used in the current setup to enable traffic without doing NAT to the source/destination IP address.

I usually leave out those "static" configurations completely and wont create any configurations to replace them.

Though I usually like to look at the whole setup before making decisions or leaving any configurations off the migration configuration. I am not completely sure what the "static" configurations that are between your local interfaces and the public VPN interface. Typically the VPN public interface would only have NAT configurations towards the outside interface.

- Jouni

Thanks Jouni for your reply.

Review Cisco Networking for a $25 gift card