08-29-2011 05:01 AM - edited 03-11-2019 02:18 PM
hi all
I am migrating my PIX configuration to ASA 8.4(2)
with my old nat configuration
I dont want the traffic match ACL inside_outbound_nat_acl from inside interface with NAT
ex:
access-list inside_outbound_nat_acl extend permit ip 192.168.20.0 255.255.255.0
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat_acl
I reffence with cisco documents
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60183
follow the section in "Multiple ACEs"
my confiruration will like below
object network obj_192.168.10.0
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic interface
!
object network obj_inside_outbound_nat_acl
subnet 10.1.1.0 255.255.255.0
!
nat (inside,any) source static obj_inside_outbound_nat_acl obj_inside_outbound_nat_acl no-proxy-arp route-lookup
BUT, WHY
when I configured "any" in "nat (inside,any)", I cannot type the "route-lookup" command
but when I change like "nat (inside,outside)" then I can type the "route-lookup" command
so what's mean of "any" in this command?
thanks
08-29-2011 05:10 AM
HI Chia,
In 8.4.2 nat, when the nat 0 configuration is migrated it puts a any keyword in it, "any" means if the traffic is going from inside to any interface, it can be outside or dmz, so you need not worry about it, you can safely remove the any keyword and use outside.
From the same doc:
NAT exemption (the nat 0 access-list command) is a form of policy NAT, and is converted to static twice NAT. Rules are created between the exempted interface and all lower-security level interfaces. For outside NAT, rules are created between the exempted interface and all higher-security level interfaces.
Hope this helps.
Thanks,
Varun
08-29-2011 05:19 AM
hi Varun
thanks for your reply
why I cannot type "route-lookup" command when I configured the "nat (inside,any)" ?
thanks
08-29-2011 05:26 AM
Hi Chia,
Here's the command reference as well:
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/no.html#wp1792563
Thanks,
Varun
08-29-2011 05:49 AM
Hi Varun
I follow the cisco document with the section "Multiple ACEs"
8.4(2) and later:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60183
and I still cannot type route-lookup
please help me check it
thanks
ASA(config)#
ASA(config)# object network obj-10.1.2.0
ASA(config-network-object)# subnet 10.1.2.0 255.255.255.0
ASA(config-network-object)# object network obj-10.1.3.0
ASA(config-network-object)# subnet 10.1.3.0 255.255.255.0
ASA(config-network-object)# object network obj-20.2.4.0
ASA(config-network-object)# subnet 20.2.4.0 255.255.255.0
ASA(config-network-object)# object network obj-20.2.20.0
ASA(config-network-object)# subnet 20.2.20.0 255.255.255.0
ASA(config-network-object)#
ASA(config)# nat (inside,any) source static obj-10.1.3.0 obj-10.1.3.0 destination static obj-20.2.4.0 obj-20.2.4.0 no-proxy-arp route-lookup
^
ERROR: % Invalid input detected at '^' marker.
ASA(config)# nat (inside,any) source static any any destination static obj-20.2.20.0 obj-20.2
.20.0 no-proxy-arp route-lookup
^
ERROR: % Invalid input detected at '^' marker.
ASA(config)#
08-29-2011 06:10 AM
Hi Chia,
Can you share your config, how many interfaces do you have???
Thanks,
Varun
08-29-2011 06:23 AM
Hi Varun
in my user-site, it just used interface G0/0, G0/1, G0/1.10 and G0/1.20
others are my lab
thanks
ASA# sh int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 61.31.221.221 YES manual down down
GigabitEthernet0/1 172.31.1.254 YES manual administratively down down
GigabitEthernet0/1.10 10.181.61.254 YES manual down down
GigabitEthernet0/1.20 100.100.100.254 YES manual down down
GigabitEthernet0/2 unassigned YES unset down down
GigabitEthernet0/3 172.16.226.84 YES manual up up
Management0/0 192.168.1.1 YES CONFIG down down
ASA#
ASA# sh nameif
Interface Name Security
GigabitEthernet0/0 outside 0
GigabitEthernet0/1 inside 100
GigabitEthernet0/1.10 DMZ 80
GigabitEthernet0/1.20 VPN-BOX 90
GigabitEthernet0/2 test1 0
GigabitEthernet0/3 test2 0
Management0/0 management 100
08-29-2011 06:34 AM
Can you bring all the interfaces up and try again, it should work...
-Varun
08-29-2011 06:53 AM
Hi Varun
I forgot to tell you this ASA is my customer new machine
and it's not on-line now
I just want to convert customer old machine(PIX) to ASA now.
I bring all interface up
and it still cannot type "route-lookup" command...
thanks for ur patience...
08-29-2011 07:09 AM
as your past above
when I didnt specify interface in the NAT command,
like "nat (inside,any) source static obj-10.1.2.0 obj-10.1.2.0 no-proxy-arp"
ok, the route-lookup command is used by default, so I needn't type it.
but, when I configured it
I show running-config
and it's shows the
"nat (inside,any) source static obj-10.1.2.0 obj-10.1.2.0 no-proxy-arp"
still without route-lookup at last
is it correct?
thanks
09-12-2011 09:26 AM
Hi Chia,
the ASA still wont show the route-lookup at the end of the nat command. It will use the routing table for a route lookup though as per the document.
regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide