Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5505 8.3 NAT Migration

Hello,

Has anyone got v8.3 up and running on a 5500 ASA ?

My old nat commands are no longer supported and I'm not certain of the best format for the new ones.

I've studied the migration guide but just want to confirm my thoughts.

My nat commands are below.

Thanks.

S.

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.1.0 255.255.255.0

static (inside,outside) tcp 111.222.333.444 smtp 192.168.1.1 smtp netmask 255.255.255.255

static (inside,outside) tcp 111.222.333.444 https 192.168.1.1 https netmask 255.255.255.255

static (inside,outside) tcp 111.222.333.444 www 192.168.1.1 www netmask 255.255.255.255

2 REPLIES

Re: ASA 5505 8.3 NAT Migration

Hi,

Your thoughts are correct

For more information,just have a look into the below URL.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1043610

Thanks

Samy

Cisco Employee

Re: ASA 5505 8.3 NAT Migration

Hi Stephen,

Here are a couple of quick examples of what the new config will look like:

Pre-8.3:

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

8.3:

object network obj-192.168.1.0

     subnet 192.168.1.0 255.255.255.0

     nat (inside,outside) dynamic interface

Pre-8.3:

static (inside,outside) tcp 111.222.333.444 smtp 192.168.1.1 smtp netmask 255.255.255.255

8.3:

object network obj-192.168.1.1-smtp

    host 192.168.1.1

    nat (inside,outside) static 111.222.333.444 service tcp smtp smtp

Pre-8.3:

nat (inside) 0 access-list nonat

This will depend on what the nonat access-list looks like. Each line in this ACL will become it's own manual NAT statement. For example:

object network obj-192.168.1.0-nonat

       subnet 192.168.1.0 255.255.255.0

object network obj-10.1.1.0

       subnet 10.1.1.0 255.255.255.0

!

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.1.1.0 obj-10.1.1.0

That will have the equivalent NAT 0 functionality when 192.168.1.0/24 talks to 10.1.1.0/24

Here is another link that will help illustrate the differences between pre-8.3 and 8.3 NAT config:

https://supportforums.cisco.com/docs/DOC-9129

Hope that helps.

-Mike

1340
Views
0
Helpful
2
Replies
CreatePlease to create content