Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1194
Views
15
Helpful
5
Replies

What happens to my Exempt NATs after upgrade the ASA IOS?

armanesf
Level 1
Level 1

‎02-26-2020 02:21 AM

Hello everyone,

I have a ASA 5520 Appliance running 8(3) IOS and 6.1 ASDM version and i want to upgrade to 9.1.7(32) IOS and 7.8.1.150 ASDM version.

Since there is no Exempt NAT in this new version because of different syntax and so on, i was wondering after update my configuration (including Exempt NAT) will be configured? or i have to reconfigure NATs with the new syntax? (refer to this link)

 

and if there's anything like this that i had to reconfigure like this i appreciate to let me know.

Thanks in Advance.

0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎02-26-2020 02:59 AM

Hi,

Below is an accurate example of NAT Exemption which will work on ASA 9.x

 

object network LOCAL_NET
 subnet 10.10.0.0 255.255.255.0
object network REMOTE_NET
 subnet 192.168.10.0 255.255.255.0

nat (INSIDE,OUTSIDE) source static LOCAL_NET LOCAL_NET destination static REMOTE_NET REMOTE_NET

Just replace the interface names and local/remote networks

 

HTH

armanesf
Level 1
Level 1
In response to Rob Ingram

‎02-26-2020 07:45 AM

Tnx @Rob Ingram ,

But i'm not asking for a way to create Exempt NAT as you can see there is a link in my Q that refers to that.

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-26-2020 03:58 AM

Are you sure the current version is 8.3? the new NAT syntax was introduced on that release and anything 8.2.x or less uses the old syntax.

When you upgrade from an older version the config parser converts (or tries to convert) all of the syntax. It is prone to errors though so it is best to doublecheck the rules and also look at the report that is generated and automatically stored on disk of the ASA.

armanesf
Level 1
Level 1
In response to Marvin Rhoads

‎02-26-2020 07:53 AM

Thanks a lot @Marvin Rhoads ,

Its not 8.3 what is showing in ASDM is 8(3) that i think it means 8.0(3) so it's before the syntax change,

 

You sure it's from 8.2.x? because i searched a lot about this and the most was saying it changed from 9.x and later?!

 

I hope it could convert my whole configuration.

 

Another think i doubt about this is if i update and ran into issues and then downgrade and restore a full backup anything will be good?

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎02-26-2020 06:13 AM

Hi,

 

      Although the configuration migration is done automatically, if you have complex NAT statements, you will run into issues, which you need to fix. Check this document to support you in the migration process.

      To answer your question, NAT exemption will be migrated to Twice NAT.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html#pgfId-110236

 

Regards,

Cristian Matei.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card