HELP NAT upgrade ASA 8.2 to 8.3

Unanswered Question
Sep 21st, 2010

Hi, i have a question about software upgrade ASA 8.2 to 8.3

The problem/question is about NAT

pre-8.3

object-group network DM_68
network-object 10.27.0.0 255.255.0.0
network-object 10.32.0.0 255.255.0.0
network-object 10.47.0.0 255.255.0.0
network-object 192.168.104.0 255.255.255.0
network-object host 192.168.20.1

access-list nonat extended permit ip object-group DM_68 192.168.95.0 255.255.255.128  (no nat per VPN remote net 192.168.95.0)

nat (inside) 0 access-list nonat
nat (inside) 4 192.168.95.0 255.255.255.128

global (outside) 4 174.49.8.45

8.3 configuration

i removed the access list that is still preset (correct?? i must remove this ACL ???)

no access-list nonat extended permit ip object-group DM_68 192.168.95.0 255.255.255.128


network behind the INSIDE interface
object-group network DM_68
network-object 10.27.0.0 255.255.0.0
network-object 10.32.0.0 255.255.0.0
network-object 10.47.0.0 255.255.0.0
network-object 192.168.104.0 255.255.255.0
network-object host 192.168.20.1

nat (inside,any) source static DM_68 DM_68 destination static obj-192.168.95.0 obj-192.168.95.0


removedi unidirectional at the end fo the nat line. (Correcto to remove unidirectional??)

object network obj-192.168.95.0
subnet 192.168.95.0 255.255.255.128
nat (inside,outside) dynamic 174.49.8.45

I want to know

1) is correct the conversione 8.2 to 8.3?

2) I need that if a packet from the net 192.168.104.0 that is in the DM_68 object group try to contact a server in the net 192.168.95.0 net it goes via VPN without nat,
but if one ip of the net 192.168.104.0  try to go to internet is natted with the ip 174.49.8.45. is correct the 8.3 configuration ??

Thanks a lot to all

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
f.mottini Tue, 09/21/2010 - 06:34

thanks a lot ,i have another duobt,

this statement

nat (inside,any) source static DM_68 DM_68 destination static obj-192.168.95.0 obj-192.168.95.0

is only for VPN, so i can refine this statement changing any with outside

nat (inside,any) source static DM_68 DM_68 destination static obj-192.168.95.0 obj-192.168.95.0

correct?

but there is not a problem or  with this other statement in the obj-192.168.95.0 ??

object network obj-192.168.95.0
subnet 192.168.95.0 255.255.255.128
nat (inside,outside) dynamic 174.49.8.45

Thanks a lot , thanks vary much

Kureli Sankar Tue, 09/21/2010 - 06:42

Yes, you absolutely can. More specific the better. Plus that destination network only lives off the outside.

-KS

f.mottini Tue, 09/21/2010 - 06:59

Thanks a lot next week i will go to the customer to deliver the upgrade..i hope that all works

thanks a lot 

Actions

This Discussion

Related Content