08-29-2013 11:57 PM - edited 03-11-2019 07:32 PM
We were running Cisco ASA 5520 version 5.2 at the moment, and now we are upgrading to ASA 5525 X series version 8.6. Below is the sample code that I have attached, could anyone please tell me if I am doing this right? Thank you very much.
current version 5.1
global (outside) 2 202.190.70.80
global (dmz) 2 192.168.1.59
nat (inside) 2 172.16.2.0 255.255.255.252
nat (inside) 2 172.16.5.0 255.255.255.0
nat (inside) 2 172.16.10.0 255.255.255.0
nat (inside) 2 172.16.108.0 255.255.255.192
nat (inside) 2 172.16.108.64 255.255.255.192
nat (inside) 2 172.20.1.0 255.255.255.0
nat (inside) 2 172.30.1.0 255.255.255.0
nat (inside) 2 192.168.128.0 255.255.255.252
nat (inside) 2 192.168.129.0 255.255.255.252
nat (dmz) 2 192.168.1.0 255.255.255.0
------------------------------------------------------------------------------------------------
To new ASA version 8.6
nat (inside) 2 172.16.2.0 255.255.255.252
>> object network obj-172.16.2.0
subnet 172.16.2.0 255.255.255.252
nat (inside,outside) dynamic 202.190.70.80
nat (inside,dmz) dynamic 192.168.1.59
nat (inside) 2 172.16.5.0 255.255.255.0
>> object network obj-172.16.5.0
subnet 172.16.5.0 255.255.255.0
nat (inside,outside) dynamic 202.190.70.80
nat (inside,dmz) dynamic 192.168.1.59
nat (inside) 2 172.16.10.0 255.255.255.0
>> object network obj-172.16.10.0
subnet 172.16.10.0 255.255.255.0
nat (inside,outside) dynamic 202.190.70.80
nat (inside,dmz) dynamic 192.168.1.59
nat (inside) 2 172.20.1.0 255.255.255.0
>> object network obj-172.20.1.0
subnet 172.20.1.0 255.255.255.0
nat (inside,outside) dynamic 202.190.70.80
nat (inside,dmz) dynamic 192.168.1.59
nat (inside) 2 172.30.1.0 255.255.255.0
>> object network obj-172.30.1.0
subnet 172.30.1.0 255.255.255.0
nat (inside,outside) dynamic 202.190.70.80
nat (inside,dmz) dynamic 192.168.1.59
nat (inside) 2 172.16.108.0 255.255.255.192
>> object network obj-172.16.108.0
subnet 172.16.108.0 255.255.255.192
nat (inside,outside) dynamic 202.190.70.80
nat (inside,dmz) dynamic 192.168.1.59
nat (inside) 2 172.16.108.64 255.255.255.192
>> object network obj-172.16.108.64
subnet 172.16.108.64 255.255.255.192
nat (inside,outside) dynamic 202.190.70.80
nat (inside,dmz) dynamic 192.168.1.59
nat (inside) 2 192.168.128.0 255.255.255.252
>> object network obj-192.168.128.0
subnet 192.168.128.0 255.255.255.252
nat (inside,outside) dynamic 202.190.70.80
nat (inside,dmz) dynamic 192.168.1.59
nat (inside) 2 192.168.129.0 255.255.255.252
>> object network obj-192.168.129.0
subnet 192.168.129.0 255.255.255.252
nat (inside,outside) dynamic 202.190.70.80
nat (inside,dmz) dynamic 192.168.1.59
nat (dmz) 2 192.168.1.0 255.255.255.0
>> object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (dmz,outside) dynamic 202.190.70.80
nat (dmz,dmz) dynamic 192.168.1.59
Solved! Go to Solution.
08-30-2013 12:41 AM
Hi,
Yes, you could do it in the above way but in my opinion it just generates so much more configurations that it makes the configuration messy and harder to read.
The example I gave only generates 3 actual NAT configurations along with the couple of "object-group" and "object" and achieves all the same things.
The NAT configuration format that I use are basically Manual NAT while your examples are Auto NAT.
Manual NAT is by default Section 1, which means its matched first from all the NAT configurations. With an "after-auto" parameter in the configuration its moved to Section 3 which essentially lowers it to the very bottom priority when matching NAT rules/configurations.
The Auto NAT is always Section 2 which places it to the middle in terms of priority when matching NAT rules/configurations)
One big different with Auto NAT and Manual NAT is the fact that Manual NAT can NAT both the source and the destination address. That is why you are seeing parameters like "source dynamic".
There is some more information related to the new NAT on a document I wrote here on CSC
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
- Jouni
08-30-2013 12:07 AM
Hi,
The first thing to notice is that you can only have a SINGLE "nat" statement under an "object network" so that configuration you propose wont work.
What you could try are the following
object-group network INSIDE-PAT-SOURCE
network-object 172.16.2.0 255.255.255.252
network-object 172.16.5.0 255.255.255.0
network-object 172.16.10.0 255.255.255.0
network-object 172.16.108.0 255.255.255.192
network-object 172.16.108.64 255.255.255.192
network-object 172.20.1.0 255.255.255.0
network-object 172.30.1.0 255.255.255.0
network-object 192.168.128.0 255.255.255.252
network-object 192.168.129.0 255.255.255.252
object network OUTSIDE-PAT-IP
host 202.190.70.80
object network DMZ-PAT-IP
host 192.168.1.59
nat (inside,outside) after-auto source dynamic INSIDE-PAT-SOURCE OUTSIDE-PAT-IP
nat (inside,dmz) after-auto source dynamic INSIDE-PAT-SOURCE DMZ-PAT-IP
The above configuration should handle Dynamic PAT from "inside" to "outside" and from "inside" to "dmz". Though I personally rather not configure any dynamic NAT/PAT between my local interfaces but I assume you have some reason for it, perhaps related to routing behind "dmz"
object-group network DMZ-PAT-SOURCE
network-object 192.168.1.0 255.255.255.0
nat (dmz,outside) after-auto source dynamic DMZ-PAT-SOURCE OUTSIDE-PAT-IP
The above configuration should handle Dynamic PAT from "dmz" to "outside".
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
- Jouni
08-30-2013 12:33 AM
Thanks a lot Jouni for the quick reply. Based on your suggestion that we can not use more than one NAT statement under Object Network. Can we do the following way?
nat (inside) 2 172.16.2.0 255.255.255.252
>> object network obj-172.16.2.0
subnet 172.16.2.0 255.255.255.252
nat (inside,outside) dynamic 202.190.70.80
object network obj-172.16.2.0-01
subnet 172.16.2.0 255.255.255.252
nat (inside,dmz) dynamic 192.168.1.59
Furthermore, I am not familiar with after-auto source dynamic command yet. I will do bit more reading on this one. However, the way you suggest seems straight forward and easy to follow.
Thank You,
Regards
Rohit.
08-30-2013 12:41 AM
Hi,
Yes, you could do it in the above way but in my opinion it just generates so much more configurations that it makes the configuration messy and harder to read.
The example I gave only generates 3 actual NAT configurations along with the couple of "object-group" and "object" and achieves all the same things.
The NAT configuration format that I use are basically Manual NAT while your examples are Auto NAT.
Manual NAT is by default Section 1, which means its matched first from all the NAT configurations. With an "after-auto" parameter in the configuration its moved to Section 3 which essentially lowers it to the very bottom priority when matching NAT rules/configurations.
The Auto NAT is always Section 2 which places it to the middle in terms of priority when matching NAT rules/configurations)
One big different with Auto NAT and Manual NAT is the fact that Manual NAT can NAT both the source and the destination address. That is why you are seeing parameters like "source dynamic".
There is some more information related to the new NAT on a document I wrote here on CSC
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
- Jouni
08-30-2013 01:45 AM
Thanks a lot Jouni for quick reply. I think I need to read a bit more on this.
09-03-2013 09:32 PM
Hi Jouni,
Just one more question I want to confirm:
Currently, we have the VPN concentrator behind ASA 5.1. As mentioned, we are going to upgrade to version 8.6. Could you please have a look at the following static NAT transformation if it is correct or not.
interface GigabitEthernet0/2.31
vlan 31
nameif vpn_private
security-level 75
ip address 172.31.0.1 255.255.255.240
!
interface GigabitEthernet0/2.67
vlan 67
nameif vpn_public
security-level 75
ip address a.b.c.177 255.255.255.240
!
1) static (dmz,vpn_private) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
2) static (dmz,vpn_public) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
3) static (inside,vpn_private) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
4) static (inside,vpn_public) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
5) static (vpn_private,inside) 172.31.0.0 172.31.0.0 netmask 255.255.255.0
6) static (vpn_public,outside) a.b.c.176 a.b.c.176 netmask 255.255.255.240
7) static (vpn_public,inside) a.b.c.176 a.b.c.176 netmask 255.255.255.240
Change to
1) object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (dmz,vpn_private) static obj-192.168.1.0
2) object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (dmz,vpn_public) static obj-192.168.1.0
3) object network obj-172.16.0.0
subnet 172.16.0.0 255.255.0.0
nat (inside,vpn_private) static obj-172.16.0.0
4) object network obj-172.16.0.0
subnet 172.16.0.0 255.255.0.0
nat (inside,vpn_public) static obj-172.16.0.0
5) object network obj-172.31.0.0
subnet 172.31.0.0 255.255.0.0
nat (vpn_private,inside) static obj-172.31.0.0
6) object network obj-a.b.c.176
subnet a.b.c.176 255.255.255.240
nat (vpn_public,outside) static obj-a.b.c.176
7) object network obj-a.b.c.176
subnet a.b.c.176 255.255.255.240
nat (vpn_public,inside) static obj-a.b.c.176
Thanks a lot for all your help.
Kind Regards
Rohit
09-03-2013 11:31 PM
Hi,
All of those configurations would seem to be Static Identity NAT. Essentially used in the current setup to enable traffic without doing NAT to the source/destination IP address.
I usually leave out those "static" configurations completely and wont create any configurations to replace them.
Though I usually like to look at the whole setup before making decisions or leaving any configurations off the migration configuration. I am not completely sure what the "static" configurations that are between your local interfaces and the public VPN interface. Typically the VPN public interface would only have NAT configurations towards the outside interface.
- Jouni
09-04-2013 05:43 PM
Thanks Jouni for your reply.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide