Clear xlate on an ASA?

Answered Question
Jul 20th, 2009

So i'm finally migrating my PIX 520 to an ASA. My platform was too old to qualify for the upgrade tool so i'm training myself on the gui as i manually migrate my config over.

We used to do clear translations on the pix between inside and the dmz. is there an equivalent on the ASA? Is that the translation exemption rule?

JM

I have this problem too.
0 votes
Correct Answer by deyster94 about 7 years 4 months ago

It's still accomplished with the static statement. You can do it in the GUI, but if you are comfortable with using the CLI, I would do it that way.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
deyster94 Mon, 07/20/2009 - 12:34

Clear xlate will clear the all the translations. If you want to be more specific, you can do a clear xlate interface

thanmad Mon, 07/20/2009 - 13:16

I'm not talking about clearing the translations, but a "clear translation"...for example:

static (inside,DMZ) 10.1.25.0 10.1.25.0 netmask 255.255.255.0 0 0

The goal of this is to not have to do real NAT translations between the DMZ and the inside.

Hope that makes more sense.

deyster94 Mon, 07/20/2009 - 17:11

Gotcha. The clear xlate in your title is what threw me off.

At any rate, you still have to do that on the ASA.

cisco24x7 Tue, 07/21/2009 - 02:59

That's NOT correct. The answer is, like everything else in life, "it depends".

Let say you just use the ASA just like a router. In other words, there is no NAT between inside and outside and inside and dmz, your first option is this:

no nat-control (which is enabled by default on the ASA or Pix 7.x anyway

However, if you have something like this:

nat (inside) 1 0 0

global (outside) 1 interface

When you do this, you will immediately revert the ASA code, in term of NAT, back to the 6.3.x code. Therefore, if you want to go from inside to dmz, then what deyster94 stated is correct.

Confusing, isn't it?

thanmad Tue, 07/21/2009 - 06:43

Ok, well i still want my natting from Inside->Outisde and DMZ->Outside.

I'm looking for clear translations between the Inside->DMZ and i still want the firewalling in place Inside=100 DMZ=50.

Is this still accomplished with the static statements or is there a new way? the whole reason i ask is i'm using the GUI and don't see the way to do it. Unless i just feed it in Configuration->Nat->Add Address Translation Rule and pick "same address"?

Correct Answer
deyster94 Tue, 07/21/2009 - 06:45

It's still accomplished with the static statement. You can do it in the GUI, but if you are comfortable with using the CLI, I would do it that way.

thanmad Tue, 07/21/2009 - 07:07

yeah, i'm a command line guy at heart, but last time i tried an import from a newer pix into an ASA there were lines in CLI that i could never find displayed in ADSM. Now either I just could never find where they were displayed, or not all the commands were supported in ADSM yet.

either way, it made me a little hesitant in switching back and forth between CLI and the GUI. Since i've got to let others touch this firewall, we're going GUI :)

Thanks for the info!

Actions

This Discussion