Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1630
Views
0
Helpful
4
Replies

Router to ASA Firewall config conversion

yamikani2g2
Level 1
Level 1

‎02-25-2020 07:15 AM

Good day experts.

 

Could someone assist me with how i can convert configs on a router to ASA firewall running 8.6 code.

I have managed to convert most of the configs but these below seem challenging this NATing and overloading is not making sense but it works on the router currently.

Acess-List 111 is also being called upon on a VPN as intersting traffic. VPN i managed to bring up. Just this below

NAT

ip nat pool SERVERS 192.168.10.50 192.168.10.50 prefix-length 24
ip nat inside source static tcp 10.10.10.50 80 interface GigabitEthernet0/1 80
ip nat inside source list 111 pool SERVERS overload

ACL

access-list 111 permit ip host 10.10.10.50 host 172.20.1.66
access-list 111 permit ip host 10.10.10.50 host 172.20.1.71
access-list 111 permit ip host 10.10.10.50 host 172.20.1.72
access-list 111 permit ip host 10.10.10.50 host 172.20.1.73

 

I kind of don't follow whats happening here... and worse converting it to ASA...

 

Thanks ion advance expert

0 Helpful
4 Replies 4

Pawan Raut
Level 4
Level 4

‎02-25-2020 07:35 AM

Try this

 

object-group network Source-Group
network-object host 10.10.10.50
!
object-group network Source-NAT-Group
network-object host 192.168.10.50
!
object-group network Destination-Group
network-object host 172.20.1.66
network-object host 172.20.1.71
network-object host 172.20.1.72
network-object host 172.20.1.73
!
object service obj-http
service tcp destination eq 80
!
nat (inside,outside) source static Source-Group interface service obj-http obj-http
nat (inside,outside) source static Source-Group Source-NAT-Group destination static Destination-Group Destination-Group

 

Rate for helpful post

0 Helpful

Jerome BERTHIER
Level 1
Level 1

‎02-25-2020 07:45 AM

Hello

 

You're right , it seems that overload doesn't make sense here.

Can you post the result of "sh ip nat translation" on the router with traffic established from the server ?

 

Thank you

0 Helpful

yamikani2g2
Level 1
Level 1
In response to Jerome BERTHIER

‎02-26-2020 11:04 AM

@Pawan Raut Thank you for the config will test and share the result.

@Jerome BERTHIER let me log in and paste the NAT translation here thank you for the quick response.

0 Helpful

Star Sulaiman
Level 1
Level 1

‎02-20-2023 09:04 AM

Hello ,

i know it has been a while since you posted this but what tool did you use to convert access lists from router to ASA firewall please?

 

Many thank you

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card