Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
713
Views
0
Helpful
1
Replies

Quick question re: migration of nat exemption from asa pre-8.2 to post-8.2

mat_rouch
Level 1
Level 1

‎05-01-2012 07:38 AM - edited ‎03-11-2019 04:00 PM

I am going through http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.pdf and I have a question about nat exemption.  According to the guide above, the migration of nat exemption will look like this:

-----

access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound
-----
object network obj-vLan201
subnet vLan201 255.255.255.0

object network obj-172.19.252.0
subnet 172.19.252.0 255.255.255.0

nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0

-----

My question is this: if acl inside_nat0_outbound has multiple ACEs, does the migrated configuration contain a separate "nat (inside,any)" statement for each ACE in the original pre-8.3 config, like this?

-----

access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.253.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

-----

object network obj-vLan201

subnet vLan201 255.255.255.0

object network obj-172.19.252.0
subnet 172.19.252.0 255.255.255.0

object network obj-172.19.253.0
subnet 172.19.253.0 255.255.255.0

nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0

nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.253.0 obj-172.19.253.0

-----

Our current acl has about twenty entries, which would make for twenty nat statements, if this is right.

Thanks,

-Mathew

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎05-01-2012 09:00 AM

Hi,

Default behaviour for NAT past 8.2 software level is to let traffic flow through the ASA without NAT. Before that "nat-control" setting on the ASA defined if the traffic needed a NAT configuration or not.

If your NAT0 / NAT Exempt configurations contain statements meant for VPN connections then you have to make new ones for those.

Are the entries in your old NAT0 configurations meant for traffic between different networks in your own LAN or are they meant for different VPN connections? Or perhaps both.

But as you said, moving to the new software does mean that even some simple NAT configuration will now contain more configurations than in the old software.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card