Solved: There are a couple of ways of

avnishvyas1976 · ‎04-29-2015

How would the following NAT statement look on the ASA and why wont the ASA take the line of config even though I have created the object for it

the PIX config is like this :

global (outside) 1 aa.bb.53.197

on the ASA

I thought the config would be as simple as this

nat (any,outside) 1 source static any any destination static aa.bb.53.197

I keep getting an Error though

Belgium-ASA01-5515X(config)# nat (any,outside) 1 source static any any destina$
ERROR: object doesn't match an existing object or object-group

ASA5515X(config)# object network aa.bb.53.197
ASA5515X(config-network-object)# host aa.bb.53.197

Please someone provide me with some guidance

Jon Marshall · ‎04-29-2015

There are a couple of ways of achieving this and it is to do with the ordering of NAT statements by sections which didn't happen with the 8.2 and previous NAT.

Have a look at this thread and see Jouni's answer.

He has also linked to a very good document he has written on this forum and it is worth reading to get a good understanding of the 8.3 onwards NAT -

https://supportforums.cisco.com/discussion/12393241/it-must-set-nat-asa-initial-network-and-which-nat-config-most-secure-real

if you still have queries then by all means come back.

Jon

View solution in original post

Jon Marshall · ‎04-29-2015

AV

No problem but I'm still not sure that line is correct unless you are saying it is working.

You want a dynamic NAT not a static NAT because that would be the equivalent of your global statement which is a dynamic NAT statement.

Jon

View solution in original post

Jon Marshall · ‎04-29-2015

You are trying to do different things with the NAT statements

Your global statement is dynamic NAT and will translate source IPs.

But then you are using a static statement in your other NAT.

What exactly are you trying to do ?

Jon

avnishvyas1976 · ‎04-29-2015

Hi Jon

Thanks for responding!

We are getting rid of the Cisco PIX and migrating to a Cisco ASA. The NAT statement taken from the PIX is natting anything to the address aa.bb.53.197 with this line
global (outside) 1 aa.bb.53.197

Im simply trying to add this Like for Like on the ASA, However the ASA configuration is taken slightly differently hence the static statement

All i want to do is do the above on the ASA

I though the config would look like this

nat (any,outside) source static any any destination static aa.bb.53.197 aa.bb.53.197

please correct me if I am wrong

Jon Marshall · ‎04-29-2015

There are a couple of ways of achieving this and it is to do with the ordering of NAT statements by sections which didn't happen with the 8.2 and previous NAT.

Have a look at this thread and see Jouni's answer.

He has also linked to a very good document he has written on this forum and it is worth reading to get a good understanding of the 8.3 onwards NAT -

https://supportforums.cisco.com/discussion/12393241/it-must-set-nat-asa-initial-network-and-which-nat-config-most-secure-real

if you still have queries then by all means come back.

Jon

avnishvyas1976 · ‎04-29-2015

Hi Jon

Thanks for the information and the article by Jouni really helpe, So after reviewing I got rid of this line

nat (any,outside) source static any any destination static aa.bb.53.197 aa.bb.53.197

and replaced it with

nat (any,outside) after-auto source static aa.bb.53.197 aa.bb.53.197 no-proxy-arp

Thanks

AV

Jon Marshall · ‎04-29-2015

AV

No problem but I'm still not sure that line is correct unless you are saying it is working.

You want a dynamic NAT not a static NAT because that would be the equivalent of your global statement which is a dynamic NAT statement.

Jon

avnishvyas1976 · ‎04-29-2015

Hi Jon

I belive you are right, I simply want to replicate the statement and not modify it in any way, This has not been tested yet as we are preparing the ASA for trial run next week. So I have removed this line

nat (any,outside) after-auto source static aa.bb.53.197 aa.bb.53.197 no-proxy-arp

and replaced with

nat (any,outside) after-auto source dynamic aa.bb.53.197 aa.bb.53.197

avnishvyas1976 · ‎04-30-2015

Hi Jon

Further to my quest to conquer NAT on PIX vs ASA. I have found an issue when following the guides for the post 8.3 ASA Nonat policy.

The Rules on the PIX are straight forward he is an example

nat (inside) 0 access-list nonat2

and the ACLS on the PIX follow suit

access-list nonat2 permit ip aa.bb.53.0 255.255.255.128 10.0.0.0 255.0.0.0

Following the instructions for the NAT Statement

I created my object groups for the Source and Destination networks

object network Local_LANS_1
subnet aa.bb.53.0 255.255.255.128

object network Remote_LANS_1
subnet 10.0.0.0 255.0.0.0

my NAT following the guide turned out like this

(1) nat (inside,outside) after-auto source dynamic Local_LANS_1 Local_LANS_1 destination Remote_LANS_1 Remote_LANS_1

However the above command doesnt get taken by the ASA (5515X) ver 8.6(1)2

After destination it only give me the option for static is this right as my Source is Dynamic I wouldnt think the Destination would be static and I have not found any examples of Dynamic to Static

I need to know otherwise my script to migrate the Nonats is futile

any assistance would be appreciated

Jon Marshall · ‎04-30-2015

That is a NAT exemption so it should be -

nat (inside,outside) source static Local_LANS_1 Local_LANS_1 destination static REMOTE_LANS_1 REMOTE_LANS_ 1

couple of points -

1) you are not actually translating your source IPs to anything else so it isn't really a dynamic statement

2) the document I linked to recommends these go in section 1 because if you put them in section 3 (with the after-auto keyword) there is a high chance there could be other rules in the earlier sections that override them.

Up to you really but it may avoid problems later on.

Jon

Cisco Pix NAT Vs Cisco ASA NAT