07-20-2016 06:57 PM - edited 03-12-2019 01:02 AM
Hi,
Need some help here. I've try to migrate this configuration but i unmanage to solved it.
here is the config 7.2 :
nat (inside) 0 20.84.0.0 255.255.255.0
static (inside,outside) 20.84.0.0 20.84.0.0 netmask 255.255.255.0
static (inside,outside) 20.84.0.0 20.84.0.0 netmask 255.255.0.0
i need to translate to 9 above since im using a new asa model. Before this was 5505 and now is 5506 X.
i have read some links, but i really cannot clarify how can accomodate these lines to the new version
Can you help me?
i appreciate any help to resolve this change in the configuration on the new version
Thanks in Advance
Firdaus.
07-20-2016 08:48 PM
The first and second ones do mostly the same thing. If there are only inside and outside interfaces then they do exactly the same - exempting 28.84.0.0/24 from NAT. The third one exempts the 28.84.0.0/16 - a superset of the /24 covered in 1 and 2.
So you only really need the third one translated to the new syntax:
object network obj-28.84.0.0_16
subnet 128.84.0.0 255.255.0.0
object network obj-28.84.0.0_16
nat (inside,outside) static obj-28.84.0.0_16
(You can optionally give the network object a more descriptive name.)
Remember to account for any ACLs that may reference the object and adjust them accordingly.
07-20-2016 09:19 PM
Hi Marvin,
Actually i've done this step :
object network obj-28.84.0.0_16
subnet 128.84.0.0 255.255.0.0
object network obj-28.84.0.0_16
nat (inside,outside) static obj-28.84.0.0_16
but still can't manage ping from outside to inside.
this is my outside & inside ip
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 20.84.0.230 255.255.255.0
!
interface GigabitEthernet1/2
nameif outside
security-level 0
ip address 20.84.10.230 255.255.255.0
& the ACL's list.
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list outside extended permit ip any any
access-list outside extended permit icmp any any
is there something wrong with the migrate configuration ? I'm really confuse.
Thank you for your answer Marvin
07-20-2016 09:24 PM
Have you applied the ACLs?
e.g.
access-group outside in interface outside
if so , please share output from:
packet-tracer input outside icmp <source of your pings> 1 1 <destination of your pings>
07-20-2016 09:30 PM
I haven't applied the ACLs yet. I thought I just need to change the natting only. Do i have to change the ACLs also ?
Thank you in advanced.
07-20-2016 09:32 PM
Here is the configuration.
access-group inside in interface inside
access-group outside in interface outside
07-20-2016 09:33 PM
If the ACL was already applied with the "access-group" statement, you're OK there.
packet-tracer will show us the problem 9 times out of 10.
07-20-2016 09:41 PM
Hi,
Basically, the acl working is okay. The NAT still confusing me. Already applied the one you shared but still can't ping. Any other method ?
Thank you Marvin.
07-20-2016 09:44 PM
Please use the packet-tracer and share its output.
07-21-2016 01:49 AM
Hi Marvin,
Here is the output.
84ASA01# packet-tracer input outside icmp 20.84.10.228 1 1 20.84.0.229
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 20.84.0.229 using egress ifc inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit ip any any
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 416, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
84ASA01#
07-21-2016 11:42 AM
We forgot to check the most basic bit - are you inspecting icmp. That is required to allow the firewall to keep track of this connectionless protocol and allow the replies back in.
Your policy-map should look something like the one below - notice the "inspect icmp" entry. That is needed.
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect pptp
07-22-2016 12:02 AM
Hi Marvin,
Before this, there's no inspect icmp config & now i add up the config.
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
here is the packet tracer output :
84ASA01# packet-tracer input outside icmp 20.84.10.228 1 1 20.84.0.229
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 20.84.0.229 using egress ifc inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 614, packet dispatched to next module
Result:
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Thank you
07-22-2016 12:26 PM
The ASA output looks OK.
Can you ping the inside host from the ASA itself?
01-25-2017 04:37 AM
Hi Guys,
I am new in ASA firewall, I replaced an old 5510 with 5506 with ver9.6, at our remote branch office and connected through VPN l2l however I'm having issues with some workstation accessing the internet, the old firewall has the following nat configuration;
access-list nonat extended permit ip [LOCAL PRIVATE IP SUBNET] object-group [Private IP HQ Networks]
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
can somone help me as this configuration is not supported in new ver 9.6.
Thanks a lot.
01-25-2017 04:55 AM
You only have two NAT rules:
1) nat (inside) 0 access-list nonat
Which says: Do not NAT traffic matching access-list nonat - which is:
access-list nonat extended permit ip [LOCAL PRIVATE IP SUBNET] object-group [Private IP HQ Networks]
This translates into the following NAT rule:
object network LocalSubnet
subnet x.x.x.x 255.255.255.0
nat (inside,outside) source static LocalSubnet LocalSubnet destination static RemoteSite RemoteSite no-proxyarp route-lookup
2) global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
Which says, "PAT all inside traffic to the outside interface IP address"
This will be changed to the following:
object network any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
Please check the following guides for reference:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: