I'm very new to the 9.1 code and struggling with the new NAT translation. I'll try to explain the best I can what I'm wanting to do. For testing I can do everything via CLI or ASDM but in the end I will have to convert any command over to Cisco Security Manager because that is what we use to manage all our firewalls. Currently we have a public IP address lets say x.x.x.5. I have another public IP x.x.x.6 that I want all my internal workstation to use for going out to the Internet. Basically when I go to whatsmyip from a workstation I want it to show x.x.x.6. Normally in 8.2 code I would use a pool on the public interface with x.x.x.6 and assign in the internal subnet's to it. However in 9.1 code it not as simple at least from what I'm seeing. What I would like to do is so something like this: Private Interface subnet 172.28.0.0 (LAN1) to access the Internet via Public interface nat x.x.x.6 (Public_Nat) Private Interface subnet 172.27.0.0 (LAN2) to access the Internet via Public interface nat x.x.x.6 (Public_Nat) Here is my current nat: nat (private,public) source static LAN1 LAN1 destination static Public_Nat Public_Nat Here is the packet-trace and as you can see in Phase 3 Nat bypasses the my rule and uses per-session. firewall01# packet-tracer input private tcp 172.28.2.1 1024 126.96.36.199 2334 Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 public Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_private in interface private access-list CSM_FW_ACL_private extended permit ip object Server_Vlan any4 access-list CSM_FW_ACL_private remark Allow All Traffic on the Internet Vlan outbound Additional Information: Phase: 3 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: IDS Subtype: Result: ALLOW Config: class-map IPSTraffic match any policy-map CSM_PM_1 class IPSTraffic ips inline fail-open service-policy CSM_PM_1 interface public Additional Information: Phase: 6 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 8 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 244, packet dispatched to next module Result: input-interface: private input-status: up input-line-status: up output-interface: public output-status: up output-line-status: up Action: allow Any help would be appreciated!
... View more
I'm working on configuring two ASA 5520's in an Active/Standby configuration. I've got almost everything the same between the two units for AnyConnect to work expect the following two items: AnyConnect Client Profiles AnyConnect Client Software If I upload the software manually to the Standby unit I get warning about them not being in sync and on the active unit if I do a 'write standby' it does not copy the profile or software. Anybody have any ideas on this? Thanks Dan
... View more