cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
991
Views
0
Helpful
8
Replies

cisco asa 8.3 migrated cmds

secureIT
Level 4
Level 4

Hi support,

Im struck up with few cmds in 8.3 while migrated from 8.2;

could you pls let me know how would i convert the below to 8.3 version..

nat (server) 0 access-list nat-server

access-list nat-server extended deny ip object-group A-NETWORK object-group B-NETWORK

----------

I have done it for the allowed ACL in NAT but not able to find it for the denied one...

For Example---Below is the right one.

8.2version

nat (server) 0 access-list nat-server

access-list nat-server extended permit ip object-group GSMC-FORD-SUBNET 172.x.x.0 255.255.255.0

8.3version

object network obj-172.x.x.0

                subnet 172.x.x.0 255.255.255.0

nat (server,any) source static A-NETWORK A-NETWORK destination static obj-172.x.x.0 obj-172.x.x.0

8 Replies 8

mirober2
Cisco Employee
Cisco Employee

Hi Rajesh,

The 8.3 version of your NAT exemption will look something like this (be sure to adjust variables in <>):

object network obj-172.x.x.0
  subnet 172.x.x.0 255.255.255.0
!
object network GSMC-FORD-SUBNET
  subnet
!
nat (server,) source static GSMC-FORD-SUBNET GSMC-FORD-SUBNET destination static obj-172.x.x.0 obj-172.x.x.0

That config should go at the top of the manual NAT section (section 1).

Hope that helps.

-Mike

Thanks Mike for the help...


I am agreed with the below config
OLD CONFIG....
nat (server) 0 access-list nat-server
access-list nat-server extended permit ip object-group A-NETWORK 172.x.x.0 255.255.255.0

MIGRATED TO...
object network obj-172.x.x.0
                subnet 172.x.x.0 255.255.255.0
nat (server,any) source static A-NETWORK A-NETWORK destination static obj-172.x.x.0 obj-172.x.x.0


But my query is what would be the below deny ACL converted to ???
OLD CONFIG....
nat (server) 0 access-list nat-server
access-list nat-server extended deny ip object-group A-NETWORK 172.x.x.0 255.255.255.0

MIGRATED TO....

Will permit & deny have same configuration after migration???

thanks in advance...

Hi Rajesh,

Sorry I missed that. Since we don't use access-lists for NAT in 8.3, you'll need to make sure that your NAT statements don't match the traffic that would have been a "deny" ACE in pre-8.3. As long as the traffic doesn't match the NAT line, it won't follow that translation--this is the 8.3 equivalent of the "deny" ACE.

For example, if you have a 192.168.0.x/24 subnet, but you don't want to NAT exempt the host at 192.168.0.100, you need to use 2 different NAT statements that will exclude the host at 192.168.0.100--one line will match 192.168.0.1 through 192.168.0.99 and one will match 192.168.0.101 through 192.168.0.254. You can use objects with the range keyword to accomplish this:

object network hosts1

  range 192.168.0.1 192.168.0.99

!

object network hosts2

  range 192.168.0.101 192.168.0.254

Hope that helps.

-Mike

Hi,

In 8.2 and prior versions, there was a NAT order of operation and in that nat exemption came before anything else. I guess the deny ACL you had was the traffic you did not want to get exempted from NAT.

In 8.3, the NAT order of operation is only based on a NAT table. The order is Manual NAT, Auto NAT and then After-Auto NAT. Now in such a case, i dont think you need to bother about the deny ACLs in the nat exemption.

If you could tell your exact requirement, then i can comment what can be done on 8.3 for that.

regards,

Prapanch

Hi,

My part of the config is given in the attached file..

when i tried to do a 8.3 update, the deny ACE turned as given below, but not sure if it really work or not, hence i reverted to the older version 8.2.

Now before i do it again, would like to confirm the same..

old

nat (server) 0 access-list nat-server

access-list nat-server extended deny ip host 10.16.41.7 any

new

nat (server,server) source static obj-10.16.41.7 obj-10.16.41.7 unidirectional

Hi,

I have attached the exact 8.2 config..pls check and let me know...

.

Message was edited by: Nagaraja Thanthry

omar.elmohri
Level 1
Level 1

Hi,

You may check this link: https://supportforums.cisco.com/docs/DOC-12690

I could fix NAT problem with this.

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: