Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

8.3 policy nat

Hi, I'm trying to convert a policy nat entry from 8.0.x to 8.3

and am hoping someone can check my config.

My old config:

access-list PNAT-A10 remark any Internet hosts to DMZ A10 hosted servers
access-list PNAT-A10 extended permit ip any host 23.23.25.25 (Public IP)

nat (outside) 2 access-list PNAT-A10 outside

global (CustDMZ_1) 2 10.21.5.5 netmask 255.255.255.255

New config:

object network AXA-Citrix-A10_10.21.5.13

host 10.21.5.13
nat (CustDMZ_1,outside) static 23.23.25.25

object network obj-10.21.5.5
host 10.21.5.5

nat (CustDMZ_1,outside) source dynamic any obj-10.21.5.5 destination static AXA-Citrix-A10_10.21.5.13 AXA-Citrix-A10_10.21.5.13

Is this right?  I want to make Internet clients appear as 10.21.5.5 when they hit the public address 23.23.25.25.

thank you,

Bill

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: 8.3 policy nat

Yes, you already have the configuration to statically translate the server to a public ip address.

Here is the config:

object network AXA-Citrix-A10_10.21.5.13

     host 10.21.5.13
     nat (CustDMZ_1,outside) static 23.23.25.25

Cisco Employee

Re: 8.3 policy nat

Yes, the following config posted is correct:

object network RAVPN_192.168.1.0

     subnet 192.168.1.0  255.255.255.0

     nat (outside,outside) dynamic interface

7 REPLIES
Cisco Employee

Re: 8.3 policy nat

You are almost right, the interfaces on the NAT statement is the other way round and the destination should be the public ip address instead of the real ip address. It should be as follows:

object network AXA-Citrix-A10_23.23.25.25

host 23.23.25.25

nat (outside,CustDMZ_1) source dynamic any obj-10.21.5.5 destination  static AXA-Citrix-A10_23.23.25.25 AXA-Citrix-A10_23.23.25.25

Hope that helps.

New Member

Re: 8.3 policy nat

How does the ASA know how to nat the public IP to the real address, 10.21.5.13, of the AXA-Citrix-A10 host?  Wouldn't I have to create the object and add the real IP somewhere?

Cisco Employee

Re: 8.3 policy nat

Yes, you already have the configuration to statically translate the server to a public ip address.

Here is the config:

object network AXA-Citrix-A10_10.21.5.13

     host 10.21.5.13
     nat (CustDMZ_1,outside) static 23.23.25.25

New Member

Re: 8.3 policy nat

Could I also ask how disabled split tunneling traffic is now handled so VPN users use the Corporate Internet link?

Old config:

nat (outside) 1 192.168.1.0 255.255.255.0

global (outside) 1 interface

New config:

object network RAVPN_192.168.1.0

subnet 192.168.1.0 255.255.255.0

nat (outside,outside) dynamic interface

thanks again

Cisco Employee

Re: 8.3 policy nat

Yes, the following config posted is correct:

object network RAVPN_192.168.1.0

     subnet 192.168.1.0  255.255.255.0

     nat (outside,outside) dynamic interface

New Member

Re: 8.3 policy nat

thank you for your help.

Cisco Employee

Re: 8.3 policy nat

Also you can check this document as a reference:

Cisco ASA 5500 Migration Guide for Version 8.3

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

670
Views
0
Helpful
7
Replies
CreatePlease to create content