Solved: ASA 5510 8.2 TO 8.3 CONFIG UPGRADE

STYLIANOS DEMETRIOU · ‎07-05-2013

Hello Guys,

I was wondering if someone could help me upgrading the following lines to 8.3 version

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip any host 192.168.22.1

access-list inside_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.30.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.10.228 255.255.255.254

access-list inside_nat0_outbound extended permit ip any 192.168.10.224 255.255.255.248

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.228

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 host 192.168.10.228

P.S Shall i consider changing anything else other than nat statements and access list statements (real ip addresses)?

Many Thanks

Jouni Forss · ‎07-05-2013

Hi,

As I mentioned above,

The 10-networks are just meant to illustrate an example if you had multiple inside networks which you could then group under a single "object-group" and then use that "object-group" in the NAT configurations. Naturally your networks would be completely different.

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

View solution in original post

Jouni Forss · ‎07-05-2013

Hi,

I personally dont like having "any" configured in any NAT configurations.

How many LAN networks do you have behind the "inside" interface?

Could we replace the "any" with the specific network/networks in the new NAT configurations?

- Jouni

STYLIANOS DEMETRIOU · ‎07-05-2013

HI Jouni,

I totally agree with you about "any" statements, however since I have more than 10 Lan networks behind the "inside" network (this is the HQ and all branches pass this firewall) i prefer not to make something that will may cause me problems.

Nevertheless would you be so kind to show me either ways? with any statement and without it in order to better understand the way >8.3 version works.

Many Thanks

Jouni Forss · ‎07-05-2013

Hi,

It shouldnt be a problem if you have several networks though. You will be able to use an "object-group network" under which you specify all those networks and then you can use that "object-group" network in the new NAT configurations.

Lets look at the examples

OLD

There is statements with overlap essentially making them useless
There is statements where the source network and destination network overlap (192.168.10.x)

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip any host 192.168.22.1

access-list inside_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.30.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.10.228 255.255.255.254

access-list inside_nat0_outbound extended permit ip any 192.168.10.224 255.255.255.248

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.228

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 host 192.168.10.228

NEW

10.10.x.0/24 networks are just example LAN networks you might have

object-group network LAN-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 10.10.11.0 255.255.255.0

network-object 10.10.12.0 255.255.255.0

network-object 10.10.13.0 255.255.255.0

network-object 10.10.14.0 255.255.255.0

network-object 10.10.15.0 255.255.255.0

object network HOST-192.168.22.1

host 192.168.22.1

object network SUBNET-192.168.20.0-24B

subnet 192.168.20.0 255.255.255.0

object network SUBNET-192.168.30.0-24B

subnet 192.168.30.0 255.255.255.0

object network SUBNET-192.168.10.228-31B

subnet 192.168.10.228 255.255.255.254

object network SUBNET-192.168.10.224-29B

subnet 192.168.10.224 255.255.255.248

object network HOST-192.168.10.228

host 192.168.10.228

object network SUBNET-192.168.10.0-24B

subnet 192.168.10.0 255.255.255.0

object network SUBNET-192.168.3.0-24B

subnet 192.168.3.0 255.255.255.0

nat (inside,outside) source static LAN-NETWORKS LAN-NETWORKS destination static HOST-192.168.22.1 HOST-192.168.22.1

nat (inside,outside) source static LAN-NETWORKS LAN-NETWORKS destination static SUBNET-192.168.20.0-24B SUBNET-192.168.20.0-24B

nat (inside,outside) source static LAN-NETWORKS LAN-NETWORKS destination static SUBNET-192.168.30.0-24B SUBNET-192.168.30.0-24B

nat (inside,outside) source static LAN-NETWORKS LAN-NETWORKS destination static SUBNET-192.168.10.228-31B SUBNET-192.168.10.228-31B

nat (inside,outside) source static LAN-NETWORKS LAN-NETWORKS destination static SUBNET-192.168.10.224-29B SUBNET-192.168.10.224-29B

nat (inside,outside) source static SUBNET-192.168.10.0-24B SUBNET-192.168.10.0-24B destination static HOST-192.168.10.228 HOST-192.168.10.228

nat (inside,outside) source static SUBNET-192.168.3.0-24B SUBNET-192.168.3.0-24B destination static HOST-192.168.10.228 HOST-192.168.10.228

You might be able to replace the "nat" configurations that use LAN-NETWORKS with the below versions

nat (inside,outside) source static any any destination static HOST-192.168.22.1 HOST-192.168.22.1

nat (inside,outside) source static any any destination static SUBNET-192.168.20.0-24B SUBNET-192.168.20.0-24B

nat (inside,outside) source static any any destination static SUBNET-192.168.30.0-24B SUBNET-192.168.30.0-24B

nat (inside,outside) source static any any destination static SUBNET-192.168.10.228-31B SUBNET-192.168.10.228-31B

nat (inside,outside) source static any any destination static SUBNET-192.168.10.224-29B SUBNET-192.168.10.224-29B

But I dont personally configure them this way.

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question

Ask more if needed

- Jouni

Jouni Forss · ‎07-05-2013

Also,

If you want to read up on some information related to the 8.3+ NAT format then you could take a look at a document I wrote here on the CSC.

https://supportforums.cisco.com/docs/DOC-31116

Here is also a good document comparing the old and new format

https://supportforums.cisco.com/docs/DOC-9129

- Jouni

STYLIANOS DEMETRIOU · ‎07-05-2013

Dear Jouni,

Thank you so much for your assistance.

Regarding below statements

object-group network LAN-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 10.10.11.0 255.255.255.0

network-object 10.10.12.0 255.255.255.0

network-object 10.10.13.0 255.255.255.0

network-object 10.10.14.0 255.255.255.0

network-object 10.10.15.0 255.255.255.0

I don't have any 10.x network.. Is this a mistypo ?

Jouni Forss · ‎07-05-2013

Hi,

As I mentioned above,

The 10-networks are just meant to illustrate an example if you had multiple inside networks which you could then group under a single "object-group" and then use that "object-group" in the NAT configurations. Naturally your networks would be completely different.

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

STYLIANOS DEMETRIOU · ‎07-05-2013

Thank you again so much Jouni!