Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1165
Views
0
Helpful
5
Replies

NAT question for ASA running 8.4(5)

Go to solution
baskervi
Level 1
Level 1

‎01-24-2013 10:51 PM - edited ‎02-21-2020 04:49 AM

We have a client who is about to hang an ASA off the DMZ of our firewall that is running 8.4(5). That firewall is currently on a different part of our network, and NAT is going to be significantly changed. Now, everything on the clients firewall needs to be NATed on the outside to the same as the internal IP scheme, e.g. like the old "static (inside,outside) 172.16.16.0 172.16.16.0 netm 255.255.255.0" command.

When I look at Cisco's document for NAT conversion (

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp96828), I don't see any conversion between the two. This isn't a "nat 0" because Internet users will need access to some hosts on the inside of our client's firewall.

Can someone please point me in the right direction? Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to baskervi

‎01-25-2013 01:12 PM

Hi,

Lets assume that the following is true

  • The new ASA has "inside" and "outside" network/interface only
  • The new ASA doesnt have to do ANY NAT from "inside" to "outside" traffic at any situation (your firewall handles this?)

Then you can simply have the ASA with absolutely NO NAT configurations. The ASA with the new software versions 8.3 and above automatically passes all traffic UNNATED through the ASA. We use this on one customer and it works just fine.

Please let me know if the above is the case or if not can think of something else

- Jouni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
baskervi
Level 1
Level 1

‎01-24-2013 11:01 PM

Will the following work:

nat (inside,outside) source static any any       

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to baskervi

‎01-25-2013 01:12 PM

Hi,

Lets assume that the following is true

  • The new ASA has "inside" and "outside" network/interface only
  • The new ASA doesnt have to do ANY NAT from "inside" to "outside" traffic at any situation (your firewall handles this?)

Then you can simply have the ASA with absolutely NO NAT configurations. The ASA with the new software versions 8.3 and above automatically passes all traffic UNNATED through the ASA. We use this on one customer and it works just fine.

Please let me know if the above is the case or if not can think of something else

- Jouni

0 Helpful

Go to solution
baskervi
Level 1
Level 1
In response to Jouni Forss

‎01-25-2013 03:09 PM

With the previous versions of firmware, with "nat (inside) 0" and "global outside" commands, you couldn't initiate traffic from the outside to the inside. We will need to do this. So I can simply remove all NAT commands, and it will work fine?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to baskervi

‎01-25-2013 05:35 PM

Hi,

Yes, we have a customer firewall (behind the actual Internet firewall) that has absolutely no NAT configurations. Its only doing access control with ACLs acting as a border between 2 local network segments.

- Jouni

0 Helpful

Go to solution
baskervi
Level 1
Level 1
In response to Jouni Forss

‎01-26-2013 06:25 AM

JouniForss, thanks for your help!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card