04-28-2014 03:33 PM - edited 03-04-2019 10:52 PM
How do I convert my old Cisco PIX nat statement to the Cisco ASA 9.1 code?
Original NAT statement:
global (outside) 71 1.1.1.1
nat (inside) 71 access-list ACL-inbound 0 0
access-list ACL-inbound permit ip host 192.168.1.1 any
Solved! Go to Solution.
04-29-2014 06:55 AM
You are having a policy-NAT config with an ACL that has a destination of "any". So you could write that statement also as
global (outside) 71 1.1.1.1
nat (inside) 71 192.168.1.1 255.255.255.255
That's a dynamic NAT-translation that can be configured in two ways in the new code:
With Auto/Object-NAT:
object network HOST
host 192.168.1.1
nat (inside,outside) dynamic 1.1.1.1
With manual-NAT:
object network HOST
host 192.168.1.1
object network HOST-NAT
host 1.1.1.1
nat (inside,outside) source dynamic HOST HOST-NAT
04-30-2014 12:15 AM
You have to split that as you have two different needs:
That can be configured as the above mentioned manual-NAT where you also can use an object-group instead of an object. The third ACL-line is probably a typo?
object-group network NAT1
network-object 192.168.1.1
network-object 192.168.2.0 255.255.255.0
!
nat (inside,outside) source dynamic NAT1 HOST-NAT
For that you also have to configure manual NAT as you need to specify the destination. Here the destination in not changed:
object network HOST1
host 192.168.1.2
object network DEST-HOST
host 169.0.0.1
!
nat (inside,outside1) source dynamic HOST1 HOST-NAT destination static DEST-HOST DEST-HOST
BTW: This is more a Security-Firewalling topic. You should move it to the right area of the forum.
04-29-2014 04:30 AM
take a look at the following examples:
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
04-29-2014 06:45 AM
I did looked at that prior to posting this, but it didn't have exactly what i was looking for and i was also looking for a little bit of detail and explanation on how and why it works with the new code.
04-29-2014 06:55 AM
You are having a policy-NAT config with an ACL that has a destination of "any". So you could write that statement also as
global (outside) 71 1.1.1.1
nat (inside) 71 192.168.1.1 255.255.255.255
That's a dynamic NAT-translation that can be configured in two ways in the new code:
With Auto/Object-NAT:
object network HOST
host 192.168.1.1
nat (inside,outside) dynamic 1.1.1.1
With manual-NAT:
object network HOST
host 192.168.1.1
object network HOST-NAT
host 1.1.1.1
nat (inside,outside) source dynamic HOST HOST-NAT
04-29-2014 07:16 AM
Perfect!!!
Thank you
04-29-2014 10:32 AM
What if i were to have this.......
global (outside) 71 1.1.1.1
nat (inside) 71 access-list ACL-inbound 0 0
access-list ACL-inbound permit ip host 192.168.1.1 any
access-list ACL-inbound permit ip host 192.168.1.2 host 169.0.0.1
access-list ACL-inbound permit ip 192.168.1.1 255.255.255.0 any
04-30-2014 12:15 AM
You have to split that as you have two different needs:
That can be configured as the above mentioned manual-NAT where you also can use an object-group instead of an object. The third ACL-line is probably a typo?
object-group network NAT1
network-object 192.168.1.1
network-object 192.168.2.0 255.255.255.0
!
nat (inside,outside) source dynamic NAT1 HOST-NAT
For that you also have to configure manual NAT as you need to specify the destination. Here the destination in not changed:
object network HOST1
host 192.168.1.2
object network DEST-HOST
host 169.0.0.1
!
nat (inside,outside1) source dynamic HOST1 HOST-NAT destination static DEST-HOST DEST-HOST
BTW: This is more a Security-Firewalling topic. You should move it to the right area of the forum.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: