Equivalent NAT config pre-8.3 and with 8.3

Unanswered Question
Aug 1st, 2010
User Badges:

Dear All


I am doing a migration from pix 6.3 to ASA 8.3 and I have the following nat configuration:


Pre 8.3


interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.50.50.249 255.255.255.0 standby 10.50.50.250
!
interface GigabitEthernet0/1
nameif inside

security-level 100
ip address 10.10.0.1 255.255.0.0 standby 10.10.0.2



global (outside) 1 192.168.100.1-192.168.100.253
global (outside) 1 192.168.100.254
nat (inside) 1 10.10.0.0 255.255.0.0 0 0


I wnat to use the PAT backup with another IP address not the inerface IP address so please advise the new configuration for ASA 8.3


Thanks,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Sun, 08/01/2010 - 00:54
User Badges:
  • Cisco Employee,

Hello,


Please try the following for the NAT configuration:


object network obj-10.10.0.0

subnet 10.10.0.0 255.255.0.0


object network obj-192.168.100.1-192.168.100.253

range 192.168.100.1 192.168.100.253


object network obj-192.168.100.254

host 192.168.100.254


object-group network og_global_outside-1

network-object object obj-192.168.100.1-192.168.100.253

network-object object obj-192.168.100.254


object network obj-10.10.0.0

nat (inside,outside) dynamic og_global_outside-1


Hope this helps.


Regards,


NT

Ahmad Samir Sun, 08/01/2010 - 02:08
User Badges:

Dear Nagaraja


Thanks for your reply


I tried it but it gives me this warning:


WARNING: Pool (192.168.100.254) overlap with existing pool


Please advise


Thanks,

Nagaraja Thanthry Sun, 08/01/2010 - 07:54
User Badges:
  • Cisco Employee,

Hello,


Did you already have a NAT configuration involving 192.168.100.254 address in the configuration? If not, then you can ignore that warning message.


Regards,


NT

Ahmad Samir Mon, 08/02/2010 - 03:29
User Badges:

Dear Nagaraja


Are you sure that I can ignore it?


Another importanat question:


If I have interface gi0/0 as outside with security level 0


If I have interface gi0/1 as inside with security level 100


If I have interface gi0/2 as DMZ with security level 50


If I just do natting for the traffic from  inside to dmz only. what about the other traffic from (outside to inside) or (outside to dmz) or (dmz to inside) or (dmz to outside)


I am asking this question because I have a server on the outside and I want to give it full access to another server on the inside and dmz. So can I just apply access-list on the outside interface without configure any natting or the natting is needed from low security level to higher security level?


Thanks on advance,

Nagaraja Thanthry Mon, 08/02/2010 - 06:32
User Badges:
  • Cisco Employee,

Hello Ahmad,


You do need NAT when going from higher security to lower security. However, you can do a static NAT for specific destination as well (similar to policy NAT in pre-8.3 code).


nat (inside,outside) source static destination static


For example,


Inside server -- 10.1.1.1

mapped IP  -- 100.1.1.1

Destination server IP -- 64.1.1.1


object network inside_server

host 10.1.1.1


object network inside_server_public

host 100.1.1.1


object network public_server

host 64.1.1.1


nat (inside,outside) source static inside_server inside_server_public destination static public_server public_server


You need to repeat the above for your DMZ server as well and then you need to configure access-lists accordingly. Remember that in 8.3, the access-lists take real IP addresses instead of mapped IP addresses on the outside interface. So, when you configure the access-list, you need to use the actual IP address of the inside server as destination.


Hope this helps.


NT

Ahmad Samir Mon, 08/02/2010 - 23:03
User Badges:

Dear Nagaraja


Thanks for your reply.


The outside interface I mentioned is not the Internet because the firewall is LAN firewall not Internet firewall.


inside = Servers, outside = Users, DMZ = Servers


I have policies from outside to inside and dmz to inside and outside to dmz,.... etc.


I don'twant to do Nat between the segments. So, what can I do?


It will be good also if you explain the Nat process and what about nat-control?


Thanks,

Nagaraja Thanthry Tue, 08/03/2010 - 06:35
User Badges:
  • Cisco Employee,

Hello Ahmad,


If you do not need NAT at all between the interfaces, then you need to

configure identity NAT. In pre-8.3 code, there was an option to disable NAT

requirement (no nat-control) and that would have addressed the issue.

However, in 8.3 code, NAT is automatically enabled and the "nat-control"

command is removed. So, in effect, if you want to disable NAT, you need to

configure identity NAT between the interfaces. I am assuming that your

outside interface is at security level of "0" and inside is at "100" with

DMZ being somewhere in between. You can use standard NAT procedure.


object network LAN_1

subnet

nat (any,any) source static DMZ DMZ_1


You do not need to worry about outside as, since it is at lowest security

level, will automatically be using its own IP when coming to inside or DMZ.


Hope this helps.


Regards,


NT

Ahmad Samir Tue, 08/03/2010 - 23:30
User Badges:

Dear Nagaraja


Thanks again for your reply


interface GigabitEthernet0/0
nameif OUTSIDE

security-level 0
ip address 10.50.50.2 255.255.255.0 standby 10.50.50.3
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 10.40.40.2 255.255.255.0 standby 10.40.40.3
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 10.8.8.2 255.255.255.0 standby 10.8.8.3
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.1
vlan 6
nameif OUT-SERV
security-level 75
ip address 10.6.6.2 255.255.0.0 standby 10.6.6.3
!
interface GigabitEthernet0/3.2
vlan 7
nameif MGT
security-level 100
ip address 10.4.22.96 255.255.254.0
management-only
!
interface Management0/0
description LAN/STATE Failover Interface



I have 10.70.0.0/16 behind the interface OUT-SERV and I want to do natting for it if it goes to the server (192.168.1.123) on the outside. Any other traffic between the segments has to go without NAT.


So please if you can give me the configuration in details it will be helpful and appreciated.


Also regarding the MGT do I have to do the standby command under the interface or I have to configure each ASA with different management IP without standby command.


Thanks on advance for your help,

Nagaraja Thanthry Wed, 08/04/2010 - 05:51
User Badges:
  • Cisco Employee,

Hello,


Please try the following:


object network Server

host 192.168.1.123


object network OUT_SRV_USR

subnet 10.17.0.0 255.255.0.0

nat (OUT-SERV,OUTSIDE) source dynamic OUT_SRV_USR interface destination static Server Server


object network OUT_SERV_USR

subnet 10.17.0.0 255.255.0.0

nat (any,any) source static OUT_SERV_USR OUT_SRV_USR


The above configuration will ensure that the traffic from 10.17.0.0 subnet gets natted to outside interface IP when going to 192.168.1.123 server. At the same, it goes un-natted to all other locations.


With regard to your management interface IP question, you can use a standby IP just like any other interface.


Hope this helps.


Regards,


NT

Actions

This Discussion