cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
839
Views
0
Helpful
4
Replies

Pre-8.3 NAT to 8.3+ NAT configuration on ASA 5505

thomas.a
Level 1
Level 1

I have a pre-8.3 NAT question. How would this config look like in ASA 9.1(6)?

name 192.168.100.0 lan description Internt Vlan1
name 172.20.21.0 vpn description Vpnklienter vlan1

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 lan 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 vpn 255.255.255.0
static (inside,outside) tcp interface 55530 192.168.100.250 55530 netmask 255.255.255.255
static (inside,outside) tcp interface 55531 192.168.100.250 55531 netmask 255.255.255.255
static (inside,outside) tcp interface 55532 192.168.100.250 55532 netmask 255.255.255.255
static (inside,outside) tcp interface 55533 192.168.100.250 55533 netmask 255.255.255.255
static (inside,outside) tcp interface 55534 192.168.100.250 55534 netmask 255.255.255.255
static (inside,outside) tcp interface 55535 192.168.100.250 55535 netmask 255.255.255.255
static (inside,outside) udp interface 55530 192.168.100.250 55530 netmask 255.255.255.255
static (inside,outside) udp interface 55531 192.168.100.250 55531 netmask 255.255.255.255
static (inside,outside) udp interface 55532 192.168.100.250 55532 netmask 255.255.255.255
static (inside,outside) udp interface 55533 192.168.100.250 55533 netmask 255.255.255.255
static (inside,outside) udp interface 55534 192.168.100.250 55534 netmask 255.255.255.255
static (inside,outside) udp interface 55535 192.168.100.250 55535 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.100.7 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.100.7 www netmask 255.255.255.255
static (inside,outside) tcp interface 987 192.168.100.7 987 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.7 https netmask 255.255.255.255

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Read this first link for examples -

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

and also read this link for the explanation of how NAT is now done because it has sections now and it is important where you place your statements. The document covers all this with recommendations -

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

if you are still unsure then by all means come back for help.

Jon

Hi,

You need to create a different object with a different name but same IP on the ASA for every NAT with a different port.

This is a requirement on the ASA device otherwise it will overwrite the previous configuration.

Thanks and Regards,

Vibhor Amrodia

 

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

This would be the translated configuration:-

object network obj-0.0.0.0.0

subnet 0 0

nat (inside,outside) dynamic interface

___________________________

VPN NONAT

This would be converted as:-

nat (inside,outside) source static <Source LOCAL SUbnet> <Source LOCAL SUbnet> destination static <Destination REMOTE Subnet> <Destination REMOTE Subnet>

__________________________

Static PAT will be :-

Object service obj-TCP

service tcp source range 55530 55535

object network obj-192.168.100.250

host 192.168.100.250

nat (inside,outside) source static obj-192.168.100.250 interface service obj-TCP obj-TCP

Object service obj-UDP

service udp source range 55530 55535

object network obj-192.168.100.250

host 192.168.100.250

nat (inside,outside) source static obj-192.168.100.250 interface service obj-TCP obj-TCP

_______________________

object network obj-192.168.100.7

host 192.168.100.7

nat (inside,outside) static interface service tcp smtp smtp

Same for other ports as well

____________________________

You can allow the ACL for the ports the same way only make sure that the destination would be real IP address and not Mapped.

Thanks and Regards,

Vibhor Amrodia

static (inside,outside) tcp interface 55530 192.168.100.250 55530 netmask 255.255.255.255 - See more at: https://supportforums.cisco.com/discussion/12495796/pre-83-nat-83-nat-configuration-asa-5505#sthash.3HE9f101.dpuf
static (inside,outside) tcp interface 55530 192.168.100.250 55530 netmask 255.255.255.255 - See more at: https://supportforums.cisco.com/discussion/12495796/pre-83-nat-83-nat-configuration-asa-5505#sthash.3HE9f101.dpuf
static (inside,outside) tcp interface 55530 192.168.100.250 55530 netmask 255.255.255.255 - See more at: https://supportforums.cisco.com/discussion/12495796/pre-83-nat-83-nat-configuration-asa-5505#sthash.3HE9f101.dpuf

Hello Vibhor,

Thanks for the help.

I still have a question.

 

I have used the following post 8.3-configuration:

object network obj-192.168.100.7

host 192.168.100.7

nat (inside,outside) static interface service tcp smtp smtp

for

static (inside,outside) tcp interface smtp 192.168.100.7 smtp netmask 255.255.255.255

 

But if I continue with:

object network obj-192.168.100.7

host 192.168.100.7

nat (inside,outside) static interface service tcp www www

 

My previous configuration is over-written with "http"

How do I convert all four tcp ports to a post 8.3-configuration??

 

static (inside,outside) tcp interface smtp 192.168.100.7 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.100.7 www netmask 255.255.255.255
static (inside,outside) tcp interface 987 192.168.100.7 987 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.7 https netmask 255.255.255.255

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: