Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
520
Views
0
Helpful
6
Replies

PIX nat to ASA nat question

Go to solution
Drew Browning
Level 1
Level 1

‎04-28-2014 03:33 PM - edited ‎03-04-2019 10:52 PM

How do I convert my old Cisco PIX nat statement to the Cisco ASA 9.1 code?

Original NAT statement:

global (outside) 71 1.1.1.1
nat (inside) 71 access-list ACL-inbound 0 0

access-list ACL-inbound permit ip host 192.168.1.1 any 

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Drew Browning

‎04-29-2014 06:55 AM

You are having a policy-NAT config with an ACL that has a destination of "any". So you could write that statement also as 

global (outside) 71 1.1.1.1

nat (inside) 71 192.168.1.1 255.255.255.255

That's a dynamic NAT-translation that can be configured in two ways in the new code:

With Auto/Object-NAT:

object network HOST
  host 192.168.1.1
  nat (inside,outside) dynamic 1.1.1.1

 

With manual-NAT:

object network HOST
  host 192.168.1.1
object network HOST-NAT
  host 1.1.1.1

nat (inside,outside) source dynamic HOST HOST-NAT

 

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Drew Browning

‎04-30-2014 12:15 AM

You have to split that as you have two different needs:

  • Normal NAT

That can be configured as the above mentioned manual-NAT where you also can use an object-group instead of an object. The third ACL-line is probably a typo?

object-group network NAT1
  network-object 192.168.1.1
  network-object 192.168.2.0 255.255.255.0
!
nat (inside,outside) source dynamic NAT1 HOST-NAT

  • Policy NAT

For that you also have to configure manual NAT as you need to specify the destination. Here the destination in not changed:

object network HOST1
  host 192.168.1.2
object network DEST-HOST
  host 169.0.0.1
!
nat (inside,outside1) source dynamic HOST1 HOST-NAT destination static DEST-HOST DEST-HOST

 

BTW: This is more a Security-Firewalling topic. You should move it to the right area of the forum.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Drew Browning
Level 1
Level 1
In response to Karsten Iwen

‎04-29-2014 06:45 AM

I did looked at that prior to posting this, but it didn't have exactly what i was looking for and i was also looking for a little bit of detail and explanation on how and why it works with the new code.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Drew Browning

‎04-29-2014 06:55 AM

You are having a policy-NAT config with an ACL that has a destination of "any". So you could write that statement also as 

global (outside) 71 1.1.1.1

nat (inside) 71 192.168.1.1 255.255.255.255

That's a dynamic NAT-translation that can be configured in two ways in the new code:

With Auto/Object-NAT:

object network HOST
  host 192.168.1.1
  nat (inside,outside) dynamic 1.1.1.1

 

With manual-NAT:

object network HOST
  host 192.168.1.1
object network HOST-NAT
  host 1.1.1.1

nat (inside,outside) source dynamic HOST HOST-NAT

 

0 Helpful

Go to solution
Drew Browning
Level 1
Level 1
In response to Karsten Iwen

‎04-29-2014 07:16 AM

Perfect!!!

Thank you

0 Helpful

Go to solution
Drew Browning
Level 1
Level 1
In response to Karsten Iwen

‎04-29-2014 10:32 AM

What if i were to have this.......

global (outside) 71 1.1.1.1
nat (inside) 71 access-list ACL-inbound 0 0

access-list ACL-inbound permit ip host 192.168.1.1 any 
access-list ACL-inbound permit ip host 192.168.1.2 host 169.0.0.1 
access-list ACL-inbound permit ip 192.168.1.1 255.255.255.0 any 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Drew Browning

‎04-30-2014 12:15 AM

You have to split that as you have two different needs:

  • Normal NAT

That can be configured as the above mentioned manual-NAT where you also can use an object-group instead of an object. The third ACL-line is probably a typo?

object-group network NAT1
  network-object 192.168.1.1
  network-object 192.168.2.0 255.255.255.0
!
nat (inside,outside) source dynamic NAT1 HOST-NAT

  • Policy NAT

For that you also have to configure manual NAT as you need to specify the destination. Here the destination in not changed:

object network HOST1
  host 192.168.1.2
object network DEST-HOST
  host 169.0.0.1
!
nat (inside,outside1) source dynamic HOST1 HOST-NAT destination static DEST-HOST DEST-HOST

 

BTW: This is more a Security-Firewalling topic. You should move it to the right area of the forum.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card