cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

839
Views
0
Helpful
1
Replies
Highlighted
Beginner

PIX config to Cisco 5500 ASA NAT issues

Hello,

Our client ( a webhost, they have a lot of servers ) has a an older Cisco Pix, everything works fine with the PIX. They have a Cisco ASA 5500 with ASA version 8.3 , to replace the PIX. Upon migrating the PIX config to the ASA we are running into issues with Dynamic NAT. The static NAT entries are working flawlessly (there is a lot of them), however when Dynamic is enabled for the remainging hosts, outside communication works then drops off.  The remaining hosts need outside access for updates. We have access lists set up but I dont se ehow that could cause a problem when the original ACL's were working fine with the PIX, they have not been altered.

The NAT config may be wrong or cluttered, have a look at the full NAT config.

The static NAT addressing is the same, example 207.11.129.65 will equal 10.10.10.65

Attached is the NAT config, please have a look and provide me any insight you can. Thank you in advance.

(actual addressing scheme has been changed to protect client obviously)

Everyone's tags (3)
1 REPLY 1
Cisco Employee

PIX config to Cisco 5500 ASA NAT issues

Instead of configuring "any" (0.0.0.0 0.0.0.0), I would actually try the actual internal subnet for the dynamic statement.

It seems that the internal subnet is 10.10.10.0/24 base on the config, so you can modify the current dynamic NAT:

FROM:

object network obj_any

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface 

TO:

object network obj_10.10.10.0

     subnet 10.10.10.0 255.255.255.0

     nat (inside,outside) dynamic interface

And if you have multiple internal subnets, just configure the rest. And lastly, remember to "clear xlate" after the changes.

Also, if you are running 8.3.1, it might be a good idea to upgrade to the latest of 8.3.x. But if you are already running the latest, then it's fine.

If it still doesn't work, please run packet tracer on the ASA, and see where it's failing.