Solved: NAT ASA from 8.2 to 9.1

Lee Cobley · ‎06-24-2015

Hi Guys I am after a bit of advice on Static NAT changes. I have just been asked to upgrade an old ASA in a company. T

he old rules are (there are rules for translation both ways in the ASA, and a lot of them) (IPs have been changed)

static (inside,outside) tcp 123.123.123.123 https 192.168.1.1 https netmask 255.255.255.255
static (inside,outside) tcp 123.123.123.123 smtp 192.168.1.1 smtp netmask 255.255.255.255
static (inside,outside) tcp 123.123.123.123 pop3 192.168.1.1 pop3 netmask 255.255.255.255
static (inside,outside) tcp 123.123.123.123 www 192.168.1.1 www netmask 255.255.255.255
static (inside,outside) tcp 123.123.123.123 imap4 192.168.1.1 imap4 netmask 255.255.255.255
static (inside,outside) tcp 123.123.123.123 366 192.168.1.1 366 netmask 255.255.255.255
static (inside,outside) tcp 123.123.123.123 465 192.168.1.1 465 netmask 255.255.255.255
static (inside,outside) tcp 123.123.123.123 585 192.168.1.1 585 netmask 255.255.255.255
static (inside,outside) tcp 123.123.123.123 5229 192.168.1.1 5229 netmask 255.255.255.255
static (inside,outside) tcp 123.123.123.123 993 192.168.1.1 993 netmask 255.255.255.255
static (inside,outside) tcp 123.123.123.123 995 192.168.1.1 995 netmask 255.255.255.255
static (inside,outside) udp 123.123.123.123 32002 192.168.1.1 32002 netmask 255.255.255.25

Now changing to the new structure I can see 2 different ways to do this:

Create an object for each service and the IPs such as.

object network INT
host 192.168.1.1

object network EXT
host 123.123.123.123

object service HTTPS
service TCP source eq https

Etc

and then have the rules.

nat (inside,outside) source static INT EXT service HTTPS HTTPS
nat (inside,outside) source static INT EXT service SMTP SMTP
nat (inside,outside) source static INT EXT service POP3 POP3
nat (inside,outside) source static INT EXT service WWW WWW
nat (inside,outside) source static INT EXT service IMAP4 IMAP4
nat (inside,outside) source static INT EXT service PORT-366 PORT-366
nat (inside,outside) source static INT EXT service PORT-465 PORT-465
nat (inside,outside) source static INT EXT service PORT-585 PORT-585
nat (inside,outside) source static INT EXT service PORT-5229 PORT-5229
nat (inside,outside) source static INT EXT service PORT-993 PORT-993
nat (inside,outside) source static INT EXT service PORT-995 PORT-995
nat (inside,outside) source static INT EXT service tcp 32002 32002
nat (inside,outside) source static INT EXT service PORT-32002 PORT-32002

or create NAT for each rule the this I think Cisco preferred way?

object network INT
host 192.168.1.1
nat (inside,outside) static 123.123.123.123 service tcp www

Or am I looking at this all wrong?

Thanks for any help

Rgds

Lee

jj27 · ‎06-25-2015

Option 1 would probably be easier for you, because as of now you can only do one NAT statement per object.

You could also just NAT one-to-one the public IP of 123.123.123.123 to 192.168.1.1 which would cover all ports.

object network INT
host 192.168.1.1
nat (inside,outside) static 123.123.123.123

You'd lose the ability to NAT other ports to different internal IPs on that public IP though.

View solution in original post

jj27 · ‎06-25-2015

Option 1 would probably be easier for you, because as of now you can only do one NAT statement per object.

You could also just NAT one-to-one the public IP of 123.123.123.123 to 192.168.1.1 which would cover all ports.

object network INT
host 192.168.1.1
nat (inside,outside) static 123.123.123.123

You'd lose the ability to NAT other ports to different internal IPs on that public IP though.

Lee Cobley · ‎06-25-2015

Great thanks for the info man