cisco asa 8.3 migrated cmds

Unanswered Question
Sep 8th, 2010

Hi support,


Im struck up with few cmds in 8.3 while migrated from 8.2;

could you pls let me know how would i convert the below to 8.3 version..

nat (server) 0 access-list nat-server

access-list nat-server extended deny ip object-group A-NETWORK object-group B-NETWORK

----------



I have done it for the allowed ACL in NAT but not able to find it for the denied one...

For Example---Below is the right one.

8.2version

nat (server) 0 access-list nat-server

access-list nat-server extended permit ip object-group GSMC-FORD-SUBNET 172.x.x.0 255.255.255.0


8.3version

object network obj-172.x.x.0

                subnet 172.x.x.0 255.255.255.0

nat (server,any) source static A-NETWORK A-NETWORK destination static obj-172.x.x.0 obj-172.x.x.0



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mirober2 Wed, 09/08/2010 - 05:24

Hi Rajesh,


The 8.3 version of your NAT exemption will look something like this (be sure to adjust variables in <>):


object network obj-172.x.x.0
  subnet 172.x.x.0 255.255.255.0
!
object network GSMC-FORD-SUBNET
  subnet
!
nat (server,) source static GSMC-FORD-SUBNET GSMC-FORD-SUBNET destination static obj-172.x.x.0 obj-172.x.x.0


That config should go at the top of the manual NAT section (section 1).


Hope that helps.


-Mike

Sec IT Wed, 09/08/2010 - 05:41

Thanks Mike for the help...




I am agreed with the below config
OLD CONFIG....
nat (server) 0 access-list nat-server
access-list nat-server extended permit ip object-group A-NETWORK 172.x.x.0 255.255.255.0

MIGRATED TO...
object network obj-172.x.x.0
                subnet 172.x.x.0 255.255.255.0
nat (server,any) source static A-NETWORK A-NETWORK destination static obj-172.x.x.0 obj-172.x.x.0



But my query is what would be the below deny ACL converted to ???
OLD CONFIG....
nat (server) 0 access-list nat-server
access-list nat-server extended deny ip object-group A-NETWORK 172.x.x.0 255.255.255.0

MIGRATED TO....


Will permit & deny have same configuration after migration???


thanks in advance...

mirober2 Wed, 09/08/2010 - 05:52

Hi Rajesh,


Sorry I missed that. Since we don't use access-lists for NAT in 8.3, you'll need to make sure that your NAT statements don't match the traffic that would have been a "deny" ACE in pre-8.3. As long as the traffic doesn't match the NAT line, it won't follow that translation--this is the 8.3 equivalent of the "deny" ACE.


For example, if you have a 192.168.0.x/24 subnet, but you don't want to NAT exempt the host at 192.168.0.100, you need to use 2 different NAT statements that will exclude the host at 192.168.0.100--one line will match 192.168.0.1 through 192.168.0.99 and one will match 192.168.0.101 through 192.168.0.254. You can use objects with the range keyword to accomplish this:

object network hosts1

  range 192.168.0.1 192.168.0.99

!

object network hosts2

  range 192.168.0.101 192.168.0.254

Hope that helps.


-Mike

praprama Wed, 09/08/2010 - 06:00

Hi,


In 8.2 and prior versions, there was a NAT order of operation and in that nat exemption came before anything else. I guess the deny ACL you had was the traffic you did not want to get exempted from NAT.


In 8.3, the NAT order of operation is only based on a NAT table. The order is Manual NAT, Auto NAT and then After-Auto NAT. Now in such a case, i dont think you need to bother about the deny ACLs in the nat exemption.


If you could tell your exact requirement, then i can comment what can be done on 8.3 for that.


regards,

Prapanch

Sec IT Wed, 09/08/2010 - 06:37

Hi,


My part of the config is given in the attached file..

when i tried to do a 8.3 update, the deny ACE turned as given below, but not sure if it really work or not, hence i reverted to the older version 8.2.

Now before i do it again, would like to confirm the same..


old

nat (server) 0 access-list nat-server

access-list nat-server extended deny ip host 10.16.41.7 any


new

nat (server,server) source static obj-10.16.41.7 obj-10.16.41.7 unidirectional

Attachment: 
Sec IT Fri, 09/10/2010 - 22:03

Hi,


I have attached the exact 8.2 config..pls check and let me know...

Actions

This Discussion