Solved: Policy NAT config in 8.3 version

vucko-sanel · ‎06-25-2012

Hi guys

I need help from some of you to migrate a following VPN (site-to-site) config from ASA 8.2 to ASA v8.3

ASA 8.2

interface Vlan x

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

global (outside) 176 172.28.176.10

nat (inside) 176 access-list policy_nat

!

access-list policy_nat extended permit ip 192.168.1.0 255.255.255.0 10.190.0.0 255.255.0.0

I started to create a object-group for the local and remote network but just/still missing a "policy-nat" config...

ASA v8.3

object network local-network

subnet 192.168.1.0 255.255.255.0

!

object network remote-network

subnet 10.190.0.0 255.255.0.0

!

object network policy-nat-vpn-range

subnet 172.28.180.0 255.255.255.0

!

object network policy-nat-WAN-IP

host 172.28.180.1

.....

Br,

/S

Jennifer Halim · ‎06-25-2012

here you go (and using your existing object):

object network obj-172.28.176.10

host 172.28.176.10

nat (inside,outside) source dynamic local-network obj-172.28.176.10 destination static remote-network remote-network

View solution in original post

Jennifer Halim · ‎07-03-2012

The nonat configuration is spot on, correct.

The policy NAT should be as follows:

object network global_20.20.20.20

host 20.20.20.20

object network internal_10.0.2.2_10.0.2.4

range 10.0.2.2 10.0.2.4

nat (inside,outside) dynamic global_20.20.20.20

object network internal_10.0.2.10

host 10.0.2.10

nat (inside,outside) dynamic global_20.20.20.20

View solution in original post

Jennifer Halim · ‎06-25-2012

here you go (and using your existing object):

object network obj-172.28.176.10

host 172.28.176.10

nat (inside,outside) source dynamic local-network obj-172.28.176.10 destination static remote-network remote-network

vucko-sanel · ‎06-26-2012

thanks Jennifer - let me test this solution and come back to you!

vucko-sanel · ‎07-03-2012

Jenniffer, your solution works fine - thanks for your help!

I have similar question regarding ASA 8.3 code

I am trying to understand following code in v8.3

ASA 8.2

access-list nat extended permit ip host 10.0.2.2 any

access-list nat extended permit ip host 10.0.2.3 any

access-list nat extended permit ip host 10.0.2.4 any

access-list nat extended permit ip host 10.0.2.10 any

!

global (outside) 1 20.20.20.20

nat (inside) 1 access-list nat

ASA 8.3 (is this code correct) ???

object network internal_lan

range 10.0.2.2 10.0.2.4

host 10.0.2.10

nat (inside,outside) dynamic 20.20.20.20

i guest i dont need any ACL if a new code above is correct ?

and this one as well:

ASA 8.2

nat (inside) 0 access-list nonat

!

access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.0.8.0 255.255.255.0

access-list nonat extended permit ip any 172.16.0.0 255.255.0.0

ASA 8.3 (ist his code correct) ???

object network obj-10.0.2.0

subnet 10.0.2.0 255.255.255.0

!

object network obj-10.0.8.0

subnet 10.0.8.0 255.255.255.0

!

object network obj-172.16.0.0

subnet 172.16.0.0 255.255.0.0

nat (inside,outside) source static obj-10.0.2.0 obj-10.0.2.0 destination static obj-10.0.8.0 obj-10.0.8.0

or

nat (inside,any) source static obj-10.0.2.0 obj-10.0.2.0 destination static obj-10.0.8.0 obj-10.0.8.0

nat (inside,outside) source static any any destination static obj-172.16.0.0 obj-172.16.0.0

or

nat (inside,any) source static any any destination static obj-172.16.0.0 obj-172.16.0.0

Jennifer Halim · ‎07-03-2012

The nonat configuration is spot on, correct.

The policy NAT should be as follows:

object network global_20.20.20.20

host 20.20.20.20

object network internal_10.0.2.2_10.0.2.4

range 10.0.2.2 10.0.2.4

nat (inside,outside) dynamic global_20.20.20.20

object network internal_10.0.2.10

host 10.0.2.10

nat (inside,outside) dynamic global_20.20.20.20