Question on NAT after Upgrade to 8.3 & 8.4 from 8.2

andrewgarlick · ‎06-21-2011

Hi, I have been given the task to upgrade the ASA from 8.04 and 6.1 to the latest and greates versions.

But I read that NAT has changed in 8.3 onwards - below is my part of my current setup, how would the syntax work once I upgrade

Thanks for any help

access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list from-outside extended permit icmp any any

access-list from-outside extended permit gre any any

access-list from-outside extended permit udp any any eq isakmp

access-list from-outside extended permit esp any any

access-list from-outside extended permit ah any any

access-list from-outside extended permit tcp any any eq 500

access-list from-outside extended permit tcp any any eq 4500

access-list from-outside extended permit udp any any eq 4500

access-list from-outside extended permit udp any any eq 1701

access-list from-outside extended permit tcp any any eq 47

access-list DefaultRAGroup_SPLIT standard permit 192.168.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list no-nat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group from-outside in interface outside

varrao · ‎06-21-2011

Hi Andy,

Well yes the NAT and ACL have gone through a change post 8.3 on ASA, in your particular case, there would not be any change in the ACL, since you are using any any in them. But yes, NAT syntax would change, sometrhing like this:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

this would change to:

object network any_0.0.0.0

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface.

The logic remains the same , but just the synatx has changed.

for more details, kindly go through the Config guide below:

http://www.cisco.com/en/US/customer/docs/security/asa/asa83/configuration/guide/config.html

Hope this helps,

Thanks,

Varun

Thanks,
Varun Rao

andrewgarlick · ‎06-21-2011

Thanks for the quick reply, so my questions are this

What happens to these 2 lines

access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list DefaultRAGroup_SPLIT standard permit 192.168.1.0 255.255.255.0

Also what do I do with the nat-control line do I remove.

Sorry

varrao · ‎06-21-2011

Hi Andy,

There would be no change in the ACL's at all, in version 8.3 or above, earlier where in you used teh public ip address, to allow access, in 8.3 instead of the public ip you use the real ip of the host machine.

Let me explian with an example:

in pre 8.3, you had

static (inside,outside) 1.1.1.1 10.1.1.1

access-list out_in permit ip any host 1.1.1.1

but post 8.3, it would be:

object network public_ip

host 1.1.1.1

object network private_ip

host 10.1.1.1

nat (inside,outside) static public_ip

access-list out_in permit ip any host 10.1.1.1

In pre 8.3, for incoming traffic, first access-list was checked by the ASA and then the un-nat rule, but post 8.3 it has become, first un-nat and then the access-list.

In post 8.3, there is no concept of nat-control left, you need not specify anything.

Here is another very good link:

https://supportforums.cisco.com/docs/DOC-12690

Hope it answers all your queries.

Thanks,

Varun

Thanks,
Varun Rao