Solved: Re: 8.3 policy nat

WILLIAM STEGMAN · ‎07-01-2010

Hi, I'm trying to convert a policy nat entry from 8.0.x to 8.3

and am hoping someone can check my config.

My old config:

access-list PNAT-A10 remark any Internet hosts to DMZ A10 hosted servers
access-list PNAT-A10 extended permit ip any host 23.23.25.25 (Public IP)

nat (outside) 2 access-list PNAT-A10 outside

global (CustDMZ_1) 2 10.21.5.5 netmask 255.255.255.255

New config:

object network AXA-Citrix-A10_10.21.5.13

host 10.21.5.13
nat (CustDMZ_1,outside) static 23.23.25.25

object network obj-10.21.5.5
host 10.21.5.5

nat (CustDMZ_1,outside) source dynamic any obj-10.21.5.5 destination static AXA-Citrix-A10_10.21.5.13 AXA-Citrix-A10_10.21.5.13

Is this right? I want to make Internet clients appear as 10.21.5.5 when they hit the public address 23.23.25.25.

thank you,

Bill

Jennifer Halim · ‎07-02-2010

Yes, you already have the configuration to statically translate the server to a public ip address.

Here is the config:

object network AXA-Citrix-A10_10.21.5.13

host 10.21.5.13
nat (CustDMZ_1,outside) static 23.23.25.25

View solution in original post

Jennifer Halim · ‎07-02-2010

Yes, the following config posted is correct:

object network RAVPN_192.168.1.0

subnet 192.168.1.0 255.255.255.0

nat (outside,outside) dynamic interface

View solution in original post

Jennifer Halim · ‎07-01-2010

You are almost right, the interfaces on the NAT statement is the other way round and the destination should be the public ip address instead of the real ip address. It should be as follows:

object network AXA-Citrix-A10_23.23.25.25

host 23.23.25.25

nat (outside,CustDMZ_1) source dynamic any obj-10.21.5.5 destination static AXA-Citrix-A10_23.23.25.25 AXA-Citrix-A10_23.23.25.25

Hope that helps.

WILLIAM STEGMAN · ‎07-02-2010

How does the ASA know how to nat the public IP to the real address, 10.21.5.13, of the AXA-Citrix-A10 host? Wouldn't I have to create the object and add the real IP somewhere?

Jennifer Halim · ‎07-02-2010

Yes, you already have the configuration to statically translate the server to a public ip address.

Here is the config:

object network AXA-Citrix-A10_10.21.5.13

host 10.21.5.13
nat (CustDMZ_1,outside) static 23.23.25.25

WILLIAM STEGMAN · ‎07-02-2010

Could I also ask how disabled split tunneling traffic is now handled so VPN users use the Corporate Internet link?

Old config:

nat (outside) 1 192.168.1.0 255.255.255.0

global (outside) 1 interface

New config:

object network RAVPN_192.168.1.0

subnet 192.168.1.0 255.255.255.0

nat (outside,outside) dynamic interface

thanks again

Jennifer Halim · ‎07-02-2010

Yes, the following config posted is correct:

object network RAVPN_192.168.1.0

subnet 192.168.1.0 255.255.255.0

nat (outside,outside) dynamic interface

WILLIAM STEGMAN · ‎07-02-2010

thank you for your help.

Jorge Salas · ‎07-02-2010

Also you can check this document as a reference:

Cisco ASA 5500 Migration Guide for Version 8.3

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html