SOLVED: ASA 5505 8.3 Upgrade killed my NAT static port maps

Unanswered Question
May 19th, 2010
User Badges:

I have a client who upgraded their ASA 5505 from 7.2 to 8.3(1). Everything appeared to be working until time passed and they realized they weren't receiving e-mail. Long story short, after some investigation I realized from the Release Notes that 8.3 completely changes NAT, and uses "Real IP" for static mappings, etc.


I found the access-lists in place, but NAT was simplified greatly, so my static NAT routes from before were gone. Googling I found all sorts of CLI examples, and tried adding in the NAT static routes by hand, but I wasn't getting a working config...


Finally, I just looked at what the 8.3 upgrade had "done" and it seemed the 3 NAT lines were right - they would take incoming ports and pass them from the original source to the original destination. Luckily ASDM was the clue using Packet Trace. I saw 3-4 hops in the animation and then it was mysteriously blocked. I looked over the access-list lines again and changed them from the "Real IP" to the Network Object for the private LAN IP, and traffice began flowing again.


Here were the original lines from the config after converting to 8.3:


access-list outside-in extended permit tcp any host 17.16.2.1 eq smtp
access-list outside-in extended permit tcp any host 17.16.2.1 eq www
access-list outside-in extended permit tcp any host 17.16.2.1 eq https


Then what I did to make it work (selected this object through ADSM):


access-list outside-in extended permit tcp any object obj-192.168.1.10 eq smtp
access-list outside-in extended permit tcp any object obj-192.168.1.10 eq www
access-list outside-in extended permit tcp any object obj-192.168.1.10 eq https


And the NAT lines I have, for reference:


object network obj-192.168.1.10
host 192.168.1.10

...

object network obj-192.168.1.10
nat (inside,outside) static 17.16.2.1

object network obj_any
nat (inside,outside) dynamic interface
access-group outside-in in interface outside


Hope this helps from hours of grief.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion