HELP NAT upgrade ASA 8.2 to 8.3

Unanswered Question
Sep 21st, 2010
User Badges:

Hi, i have a question about software upgrade ASA 8.2 to 8.3

The problem/question is about NAT


pre-8.3

object-group network DM_68
network-object 10.27.0.0 255.255.0.0
network-object 10.32.0.0 255.255.0.0
network-object 10.47.0.0 255.255.0.0
network-object 192.168.104.0 255.255.255.0
network-object host 192.168.20.1


access-list nonat extended permit ip object-group DM_68 192.168.95.0 255.255.255.128  (no nat per VPN remote net 192.168.95.0)


nat (inside) 0 access-list nonat
nat (inside) 4 192.168.95.0 255.255.255.128


global (outside) 4 174.49.8.45


8.3 configuration

i removed the access list that is still preset (correct?? i must remove this ACL ???)

no access-list nonat extended permit ip object-group DM_68 192.168.95.0 255.255.255.128


network behind the INSIDE interface
object-group network DM_68
network-object 10.27.0.0 255.255.0.0
network-object 10.32.0.0 255.255.0.0
network-object 10.47.0.0 255.255.0.0
network-object 192.168.104.0 255.255.255.0
network-object host 192.168.20.1


nat (inside,any) source static DM_68 DM_68 destination static obj-192.168.95.0 obj-192.168.95.0


removedi unidirectional at the end fo the nat line. (Correcto to remove unidirectional??)


object network obj-192.168.95.0
subnet 192.168.95.0 255.255.255.128
nat (inside,outside) dynamic 174.49.8.45


I want to know


1) is correct the conversione 8.2 to 8.3?

2) I need that if a packet from the net 192.168.104.0 that is in the DM_68 object group try to contact a server in the net 192.168.95.0 net it goes via VPN without nat,
but if one ip of the net 192.168.104.0  try to go to internet is natted with the ip 174.49.8.45. is correct the 8.3 configuration ??


Thanks a lot to all

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
f.mottini Tue, 09/21/2010 - 06:34
User Badges:

thanks a lot ,i have another duobt,


this statement


nat (inside,any) source static DM_68 DM_68 destination static obj-192.168.95.0 obj-192.168.95.0


is only for VPN, so i can refine this statement changing any with outside


nat (inside,any) source static DM_68 DM_68 destination static obj-192.168.95.0 obj-192.168.95.0


correct?


but there is not a problem or  with this other statement in the obj-192.168.95.0 ??


object network obj-192.168.95.0
subnet 192.168.95.0 255.255.255.128
nat (inside,outside) dynamic 174.49.8.45


Thanks a lot , thanks vary much

Kureli Sankar Tue, 09/21/2010 - 06:42
User Badges:
  • Cisco Employee,

Yes, you absolutely can. More specific the better. Plus that destination network only lives off the outside.


-KS

f.mottini Tue, 09/21/2010 - 06:59
User Badges:

Thanks a lot next week i will go to the customer to deliver the upgrade..i hope that all works

thanks a lot 


Actions

This Discussion

Related Content