HELP NO NAT INSIDE--> DMZ ASA FROM 8.2 to 8.3

Unanswered Question
Sep 21st, 2010
User Badges:

Ha con you help me.....


OLD 8.2


access-list inside_access_in extended permit tcp 10.27.0.0 255.255.0.0 host 192.168.104.157 object-group DM_INLINE_TCP_45

static (inside,DMZ2) 10.27.0.0 10.27.0.0 netmask 255.255.0.0

host 192.168.104.157 is behind DMZ2 interface

this is no nat config for the net 10.27.0.0 that from inside interface goes to dmz host 192.168.104.157.


NEW 8.3


Here what i see ontranslation....


access-list inside_access_in extended permit tcp 10.27.0.0 255.255.0.0 object obj-192.168.104.157 object-group DM_INLINE_TCP_45

access-group inside_access_in in interface inside



object network obj-10.27.0.0
subnet 10.27.0.0 255.255.0.0


object network obj-10.27.0.0
subnet 10.27.0.0 255.255.0.0
nat (inside,DMZ2) static 10.27.0.0



object network obj-192.168.104.157

host 192.168.104.157

nat (DMZ2,outside) static 210.19.8.157


object network obj-192.168.104.157

host 192.168.104.157


I need to know:

1) is correct the translation of config from 8.2 to 8.3???


2) In this object-group DM_INLINE_NETWORK_57 group the network object is refered to he first or the second object network obj-10.27.0.0?
   i must delate one of the two object network obj-10.27.0.0??? (in 8.3 config)


  object-group network DM_INLINE_NETWORK_57
    network-object 10.32.0.0 255.255.0.0
    network-object 10.49.0.0 255.255.0.0
    network-object 10.47.0.0 255.255.0.0
    network-object 10.55.0.0 255.255.0.0
    network-object 10.27.0.0 255.255.0.0


3) also for the object obj-192.168.104.157 in the ACL the destination obj-192.168.104.157 is referred to the first or second object  obj-192.168.104.157 ??? i need to delete one of this two network obj-192.168.104.157 ????




Thanks a lot vary much.....for any question write to me..thanks a lot best regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jitendriya Athavale Tue, 09/21/2010 - 09:45
User Badges:
  • Cisco Employee,

the translation looks to be fine


are you facing any issues with the translations


the object groups are created during migration and they need to be present


also i am not sure which acl are you talking about


in any case i think you have trouble understanding the new nat rules, here is a doc which will help you by giving a comparitive anaylses


https://supportforums.cisco.com/docs/DOC-9129

f.mottini Wed, 09/22/2010 - 01:31
User Badges:

Thanks,

i want to know the  ACL in 8.3 config which obj-192.168.104.157 use in the statement, the first or the second???




access-list inside_access_in extended permit tcp 10.27.0.0 255.255.0.0 object obj-192.168.104.157 object-group DM_INLINE_TCP_45

access-group inside_access_in in interface inside




object network obj-192.168.104.157

host 192.168.104.157

nat (DMZ2,outside) static 210.19.8.157



object network obj-192.168.104.157

host 192.168.104.157



thanks a lot

Divya Sushma Nair Wed, 09/22/2010 - 04:34
User Badges:
  • Cisco Employee,

You probably have the following static NAT statement in your 8.2 code :


static (DMZ2,outside) 192.168.104.157 210.19.8.157 netmask 255.255.255.255


This would get migrated to :


object network obj-192.168.104.157
host 192.168.104.157
nat (DMZ2,outside) static 210.19.8.157


Th inside_access_in access-list is used only for restricting inbound traffic on the inside interface.The NAT in 8.3 does not make use of access-lists.


The two instances each that you see of object network obj-10.27.0.0 and obj-192.168.104.157 are the same - one denotes the network object and the other the auto-nat statement. You need not delete any of the instances.


I hope this answers your query.


-Divya

Actions

This Discussion

Related Content