Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1786
Views
0
Helpful
2
Replies

ASA 5505 8.3 NAT Migration

stephenwilletts
Level 1
Level 1

‎08-17-2010 03:05 AM - edited ‎03-11-2019 11:26 AM

Hello,

Has anyone got v8.3 up and running on a 5500 ASA ?

My old nat commands are no longer supported and I'm not certain of the best format for the new ones.

I've studied the migration guide but just want to confirm my thoughts.

My nat commands are below.

Thanks.

S.

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.1.0 255.255.255.0

static (inside,outside) tcp 111.222.333.444 smtp 192.168.1.1 smtp netmask 255.255.255.255

static (inside,outside) tcp 111.222.333.444 https 192.168.1.1 https netmask 255.255.255.255

static (inside,outside) tcp 111.222.333.444 www 192.168.1.1 www netmask 255.255.255.255

Labels:
0 Helpful
2 Replies 2

KARUPPUCHAMY MALAIYANDI
Level 4
Level 4

‎08-17-2010 03:21 AM

Hi,

Your thoughts are correct

For more information,just have a look into the below URL.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1043610

Thanks

Samy

0 Helpful

mirober2
Cisco Employee
Cisco Employee

‎11-08-2010 05:31 AM

Hi Stephen,

Here are a couple of quick examples of what the new config will look like:

Pre-8.3:
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
8.3:
object network obj-192.168.1.0
     subnet 192.168.1.0 255.255.255.0
     nat (inside,outside) dynamic interface

Pre-8.3: 
static (inside,outside) tcp 111.222.333.444 smtp 192.168.1.1 smtp netmask 255.255.255.255 
8.3: 
object network obj-192.168.1.1-smtp
    host 192.168.1.1
    nat (inside,outside) static 111.222.333.444 service tcp smtp smtp

Pre-8.3: 
nat (inside) 0 access-list nonat
This will depend on what the nonat access-list looks like. Each line in this ACL will become it's own manual NAT statement. For example:
object network obj-192.168.1.0-nonat
       subnet 192.168.1.0 255.255.255.0
object network obj-10.1.1.0
       subnet 10.1.1.0 255.255.255.0
!
nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.1.1.0 obj-10.1.1.0
That will have the equivalent NAT 0 functionality when 192.168.1.0/24 talks to 10.1.1.0/24

Here is another link that will help illustrate the differences between pre-8.3 and 8.3 NAT config:

https://supportforums.cisco.com/docs/DOC-9129

Hope that helps.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card