cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1265
Views
35
Helpful
18
Replies

NAT from version 7.2 to 9.6

Hi,

Need some help here. I've try to migrate this configuration but i unmanage to solved it.

here is the config 7.2 :

nat (inside) 0 20.84.0.0 255.255.255.0

static (inside,outside) 20.84.0.0 20.84.0.0 netmask 255.255.255.0

static (inside,outside) 20.84.0.0 20.84.0.0 netmask 255.255.0.0

i need to translate to 9 above since im using a new asa model. Before this was 5505 and now is 5506 X.

i have read some links, but i really cannot clarify how can accomodate these lines to the new version

Can you help me?

i appreciate any help to resolve this change in the configuration on the new version

Thanks in Advance

Firdaus.

18 Replies 18

Marvin Rhoads
Hall of Fame
Hall of Fame

The first and second ones do mostly the same thing. If there are only inside and outside interfaces then they do exactly the same - exempting 28.84.0.0/24 from NAT. The third one exempts the 28.84.0.0/16 - a superset of the /24 covered in 1 and 2.

So you only really need the third one translated to the new syntax:


object network obj-28.84.0.0_16
subnet 128.84.0.0 255.255.0.0

object network obj-28.84.0.0_16
nat (inside,outside) static obj-28.84.0.0_16

(You can optionally give the network object a more descriptive name.)

Remember to account for any ACLs that may reference the object and adjust them accordingly.

Hi Marvin,

Actually i've done this step :

object network obj-28.84.0.0_16
subnet 128.84.0.0 255.255.0.0

object network obj-28.84.0.0_16
nat (inside,outside) static obj-28.84.0.0_16

but still can't manage ping from outside to inside.

this is my outside & inside ip

interface GigabitEthernet1/1
 nameif inside
 security-level 100
 ip address 20.84.0.230 255.255.255.0
!
interface GigabitEthernet1/2
 nameif outside
 security-level 0
 ip address 20.84.10.230 255.255.255.0

& the ACL's list.

access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list outside extended permit ip any any
access-list outside extended permit icmp any any

is there something wrong with the migrate configuration ? I'm really confuse.

Thank you for your answer Marvin

Have you applied the ACLs?

e.g.

access-group outside in interface outside

if so , please share output from:

packet-tracer input outside icmp <source of your pings> 1 1 <destination of your pings>

I haven't applied the ACLs yet. I thought I just need to change the natting only. Do i have to change the ACLs also ?

Thank you in advanced.

Here is the configuration.

access-group inside in interface inside
access-group outside in interface outside

If the ACL was already applied with the "access-group" statement, you're OK there.

packet-tracer will show us the problem 9 times out of 10.

Hi,

Basically, the acl working is okay. The NAT still confusing me. Already applied the one you shared but still can't ping. Any other method ?

Thank you Marvin.

Please use the packet-tracer and share its output. 

Hi Marvin,

Here is the output.

84ASA01# packet-tracer input outside icmp 20.84.10.228 1 1 20.84.0.229

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 20.84.0.229 using egress ifc  inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 416, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

84ASA01#

We forgot to check the most basic bit - are you inspecting icmp. That is required to allow the firewall to keep track of this connectionless protocol and allow the replies back in.

Your policy-map should look something like the one below - notice the "inspect icmp" entry. That is needed.

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect pptp

Hi Marvin,

Before this, there's no inspect icmp config & now i add up the config.

policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect dns preset_dns_map
  inspect icmp

here is the packet tracer output :

84ASA01# packet-tracer input outside icmp 20.84.10.228 1 1 20.84.0.229

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 20.84.0.229 using egress ifc  inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4      
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:       
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 614, packet dispatched to next module

Result:
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Thank you

The ASA output looks OK. 

Can you ping the inside host from the ASA itself?

rory.javarro
Level 1
Level 1

Hi Guys,

I am new in ASA firewall, I replaced an old 5510 with 5506 with ver9.6, at our remote branch office and connected through VPN l2l however I'm having issues with some workstation accessing the internet, the old firewall has the following nat configuration;

access-list nonat extended permit ip [LOCAL PRIVATE IP SUBNET] object-group [Private IP HQ Networks]

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

can somone help me as this configuration is not supported in new ver 9.6.

Thanks a lot.

You only have two NAT rules:

1) nat (inside) 0 access-list nonat

Which says: Do not NAT traffic matching access-list nonat - which is:

access-list nonat extended permit ip [LOCAL PRIVATE IP SUBNET] object-group [Private IP HQ Networks]

This translates into the following NAT rule:

object network LocalSubnet
subnet x.x.x.x 255.255.255.0

nat (inside,outside) source static LocalSubnet LocalSubnet destination static RemoteSite RemoteSite no-proxyarp route-lookup

2) global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Which says, "PAT all inside traffic to the outside interface IP address"

This will be changed to the following:

object network any
subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

Please check the following guides for reference:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: