HELP NO NAT INSIDE--> DMZ ASA FROM 8.2 to 8.3

f.mottini · ‎09-21-2010

Ha con you help me.....

OLD 8.2

access-list inside_access_in extended permit tcp 10.27.0.0 255.255.0.0 host 192.168.104.157 object-group DM_INLINE_TCP_45

static (inside,DMZ2) 10.27.0.0 10.27.0.0 netmask 255.255.0.0

host 192.168.104.157 is behind DMZ2 interface

this is no nat config for the net 10.27.0.0 that from inside interface goes to dmz host 192.168.104.157.

NEW 8.3

Here what i see ontranslation....

access-list inside_access_in extended permit tcp 10.27.0.0 255.255.0.0 object obj-192.168.104.157 object-group DM_INLINE_TCP_45

access-group inside_access_in in interface inside

object network obj-10.27.0.0
subnet 10.27.0.0 255.255.0.0

object network obj-10.27.0.0
subnet 10.27.0.0 255.255.0.0
nat (inside,DMZ2) static 10.27.0.0

object network obj-192.168.104.157

host 192.168.104.157

nat (DMZ2,outside) static 210.19.8.157

object network obj-192.168.104.157

host 192.168.104.157

I need to know:

1) is correct the translation of config from 8.2 to 8.3???

2) In this object-group DM_INLINE_NETWORK_57 group the network object is refered to he first or the second object network obj-10.27.0.0?
i must delate one of the two object network obj-10.27.0.0??? (in 8.3 config)

object-group network DM_INLINE_NETWORK_57
    network-object 10.32.0.0 255.255.0.0
    network-object 10.49.0.0 255.255.0.0
    network-object 10.47.0.0 255.255.0.0
    network-object 10.55.0.0 255.255.0.0
    network-object 10.27.0.0 255.255.0.0

3) also for the object obj-192.168.104.157 in the ACL the destination obj-192.168.104.157 is referred to the first or second object obj-192.168.104.157 ??? i need to delete one of this two network obj-192.168.104.157 ????

Thanks a lot vary much.....for any question write to me..thanks a lot best regards

Jitendriya Athavale · ‎09-21-2010

the translation looks to be fine

are you facing any issues with the translations

the object groups are created during migration and they need to be present

also i am not sure which acl are you talking about

in any case i think you have trouble understanding the new nat rules, here is a doc which will help you by giving a comparitive anaylses

https://supportforums.cisco.com/docs/DOC-9129

f.mottini · ‎09-22-2010

Thanks,

i want to know the ACL in 8.3 config which obj-192.168.104.157 use in the statement, the first or the second???

access-list inside_access_in extended permit tcp 10.27.0.0 255.255.0.0 object obj-192.168.104.157 object-group DM_INLINE_TCP_45

access-group inside_access_in in interface inside

object network obj-192.168.104.157

host 192.168.104.157

nat (DMZ2,outside) static 210.19.8.157

object network obj-192.168.104.157

host 192.168.104.157

thanks a lot

Divya Nair · ‎09-22-2010

You probably have the following static NAT statement in your 8.2 code :

static (DMZ2,outside) 192.168.104.157 210.19.8.157 netmask 255.255.255.255

This would get migrated to :

object network obj-192.168.104.157
host 192.168.104.157
nat (DMZ2,outside) static 210.19.8.157

Th inside_access_in access-list is used only for restricting inbound traffic on the inside interface.The NAT in 8.3 does not make use of access-lists.

The two instances each that you see of object network obj-10.27.0.0 and obj-192.168.104.157 are the same - one denotes the network object and the other the auto-nat statement. You need not delete any of the instances.

I hope this answers your query.

-Divya

f.mottini · ‎09-22-2010

yes thanks a lot.