09-08-2010 02:54 AM - edited 03-11-2019 11:36 AM
Hi support,
Im struck up with few cmds in 8.3 while migrated from 8.2;
could you pls let me know how would i convert the below to 8.3 version..
nat (server) 0 access-list nat-server
access-list nat-server extended deny ip object-group A-NETWORK object-group B-NETWORK
----------
I have done it for the allowed ACL in NAT but not able to find it for the denied one...
For Example---Below is the right one.
8.2version
nat (server) 0 access-list nat-server
access-list nat-server extended permit ip object-group GSMC-FORD-SUBNET 172.x.x.0 255.255.255.0
8.3version
object network obj-172.x.x.0
subnet 172.x.x.0 255.255.255.0
nat (server,any) source static A-NETWORK A-NETWORK destination static obj-172.x.x.0 obj-172.x.x.0
09-08-2010 05:24 AM
Hi Rajesh,
The 8.3 version of your NAT exemption will look something like this (be sure to adjust variables in <>):
object network obj-172.x.x.0
subnet 172.x.x.0 255.255.255.0
!
object network GSMC-FORD-SUBNET
subnet
!
nat (server,) source static GSMC-FORD-SUBNET GSMC-FORD-SUBNET destination static obj-172.x.x.0 obj-172.x.x.0
That config should go at the top of the manual NAT section (section 1).
Hope that helps.
-Mike
09-08-2010 05:41 AM
Thanks Mike for the help...
I am agreed with the below config
OLD CONFIG....
nat (server) 0 access-list nat-server
access-list nat-server extended permit ip object-group A-NETWORK 172.x.x.0 255.255.255.0
MIGRATED TO...
object network obj-172.x.x.0
subnet 172.x.x.0 255.255.255.0
nat (server,any) source static A-NETWORK A-NETWORK destination static obj-172.x.x.0 obj-172.x.x.0
But my query is what would be the below deny ACL converted to ???
OLD CONFIG....
nat (server) 0 access-list nat-server
access-list nat-server extended deny ip object-group A-NETWORK 172.x.x.0 255.255.255.0
MIGRATED TO....
Will permit & deny have same configuration after migration???
thanks in advance...
09-08-2010 05:52 AM
Hi Rajesh,
Sorry I missed that. Since we don't use access-lists for NAT in 8.3, you'll need to make sure that your NAT statements don't match the traffic that would have been a "deny" ACE in pre-8.3. As long as the traffic doesn't match the NAT line, it won't follow that translation--this is the 8.3 equivalent of the "deny" ACE.
For example, if you have a 192.168.0.x/24 subnet, but you don't want to NAT exempt the host at 192.168.0.100, you need to use 2 different NAT statements that will exclude the host at 192.168.0.100--one line will match 192.168.0.1 through 192.168.0.99 and one will match 192.168.0.101 through 192.168.0.254. You can use objects with the range keyword to accomplish this:
object network hosts1
range 192.168.0.1 192.168.0.99
!
object network hosts2
range 192.168.0.101 192.168.0.254
Hope that helps.
-Mike
09-08-2010 06:00 AM
Hi,
In 8.2 and prior versions, there was a NAT order of operation and in that nat exemption came before anything else. I guess the deny ACL you had was the traffic you did not want to get exempted from NAT.
In 8.3, the NAT order of operation is only based on a NAT table. The order is Manual NAT, Auto NAT and then After-Auto NAT. Now in such a case, i dont think you need to bother about the deny ACLs in the nat exemption.
If you could tell your exact requirement, then i can comment what can be done on 8.3 for that.
regards,
Prapanch
09-08-2010 06:37 AM
Hi,
My part of the config is given in the attached file..
when i tried to do a 8.3 update, the deny ACE turned as given below, but not sure if it really work or not, hence i reverted to the older version 8.2.
Now before i do it again, would like to confirm the same..
old
nat (server) 0 access-list nat-server
access-list nat-server extended deny ip host 10.16.41.7 any
new
nat (server,server) source static obj-10.16.41.7 obj-10.16.41.7 unidirectional
09-10-2010 10:03 PM
Hi,
I have attached the exact 8.2 config..pls check and let me know...
09-11-2010 12:34 AM
.
Message was edited by: Nagaraja Thanthry
09-12-2010 09:55 PM
Hi,
You may check this link: https://supportforums.cisco.com/docs/DOC-12690
I could fix NAT problem with this.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide