cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
692
Views
0
Helpful
6
Replies

PIX nat to ASA nat question

Drew Browning
Level 1
Level 1

How do I convert my old Cisco PIX nat statement to the Cisco ASA 9.1 code?

Original NAT statement:

global (outside) 71 1.1.1.1
nat (inside) 71 access-list ACL-inbound 0 0

access-list ACL-inbound permit ip host 192.168.1.1 any 

 

 

2 Accepted Solutions

Accepted Solutions

You are having a policy-NAT config with an ACL that has a destination of "any". So you could write that statement also as 

global (outside) 71 1.1.1.1

nat (inside) 71 192.168.1.1 255.255.255.255

That's a dynamic NAT-translation that can be configured in two ways in the new code:

With Auto/Object-NAT:

object network HOST
  host 192.168.1.1
  nat (inside,outside) dynamic 1.1.1.1

 

With manual-NAT:

object network HOST
  host 192.168.1.1
object network HOST-NAT
  host 1.1.1.1

nat (inside,outside) source dynamic HOST HOST-NAT

 

View solution in original post

You have to split that as you have two different needs:

  • Normal NAT

That can be configured as the above mentioned manual-NAT where you also can use an object-group instead of an object. The third ACL-line is probably a typo?

object-group network NAT1
  network-object 192.168.1.1
  network-object 192.168.2.0 255.255.255.0
!
nat (inside,outside) source dynamic NAT1 HOST-NAT

  • Policy NAT

For that you also have to configure manual NAT as you need to specify the destination. Here the destination in not changed:

object network HOST1
  host 192.168.1.2
object network DEST-HOST
  host 169.0.0.1
!
nat (inside,outside1) source dynamic HOST1 HOST-NAT destination static DEST-HOST DEST-HOST

 

BTW: This is more a Security-Firewalling topic. You should move it to the right area of the forum.

View solution in original post

6 Replies 6

I did looked at that prior to posting this, but it didn't have exactly what i was looking for and i was also looking for a little bit of detail and explanation on how and why it works with the new code.

You are having a policy-NAT config with an ACL that has a destination of "any". So you could write that statement also as 

global (outside) 71 1.1.1.1

nat (inside) 71 192.168.1.1 255.255.255.255

That's a dynamic NAT-translation that can be configured in two ways in the new code:

With Auto/Object-NAT:

object network HOST
  host 192.168.1.1
  nat (inside,outside) dynamic 1.1.1.1

 

With manual-NAT:

object network HOST
  host 192.168.1.1
object network HOST-NAT
  host 1.1.1.1

nat (inside,outside) source dynamic HOST HOST-NAT

 

Perfect!!!

Thank you

What if i were to have this.......

global (outside) 71 1.1.1.1
nat (inside) 71 access-list ACL-inbound 0 0

access-list ACL-inbound permit ip host 192.168.1.1 any 
access-list ACL-inbound permit ip host 192.168.1.2 host 169.0.0.1 
access-list ACL-inbound permit ip 192.168.1.1 255.255.255.0 any 

You have to split that as you have two different needs:

  • Normal NAT

That can be configured as the above mentioned manual-NAT where you also can use an object-group instead of an object. The third ACL-line is probably a typo?

object-group network NAT1
  network-object 192.168.1.1
  network-object 192.168.2.0 255.255.255.0
!
nat (inside,outside) source dynamic NAT1 HOST-NAT

  • Policy NAT

For that you also have to configure manual NAT as you need to specify the destination. Here the destination in not changed:

object network HOST1
  host 192.168.1.2
object network DEST-HOST
  host 169.0.0.1
!
nat (inside,outside1) source dynamic HOST1 HOST-NAT destination static DEST-HOST DEST-HOST

 

BTW: This is more a Security-Firewalling topic. You should move it to the right area of the forum.

Review Cisco Networking for a $25 gift card