Ah Ok :) If you want to read

cciesec2011 · ‎10-10-2014

hi guys,

I need help really bad here :-(

inside network: 10.0.0.0/8, 172.16.0.0/16
dmz network: 192.168.0.0/16
outside network: 4.2.2.2/30 (ISP router is 4.2.2.2/30) and Internet

currently in my 8.2.4(5) ASA code I have:

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
nat (dmz) 1 192.168.0.0 255.255.0.0
global (outside) 1 interface

access-list inside_in permit ip any any log
access-list dmz_in permit ip any any log
access-list outside_in permit icmp any any log
access-list outside_in deny ip any any log

access-group inside_in interface inside in
access-group dmz_in interface dmz in
access-group outiside_in interface dmz in

How do I convert this configuration into ASA version 9.2.2?

Man thanks in advance.

Jouni Forss · ‎10-10-2014

Hi,

It seems to me that you might have not attached all the configurations? I dont see any Dynamic PAT configuration for your "inside" interface there.

But here is how you can configure the NAT configurations in your new ASA software (if you want to use the above large networks/subnets)

object-group network PAT-SOURCE
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

You won' need any replacing configurations for the "static" commands as they are just Static Identity NAT configurations which you wont need in the new software.

The ACLs you can keep the same BUT I am not sure if they are configured the best way. For example the DMZ is not really a DMZ if you allow all traffic behind it to any internal networks also. But the mentioned configurations remain unchanged between these versions.

I would like to point out though there is a major change in the ACLs with regards to NATed IP address. In any software level 8.3+ you will have to allow traffic towards the real IP address always, NOT the NAT IP address as you might be used to in the software levels 8.2 (and below)

Hope this helps :)

- Jouni

cciesec2011 · ‎10-10-2014

thank you. I do NOT want to dynamic "hide" NAT anything from "inside" out to the Internet Does it mean my configuration will look like this:

object-group network PAT-SOURCE
network-object 192.168.0.0 255.255.0.0

nat (dmz,outside) after-auto source dynamic PAT-SOURCE interface

Jouni Forss · ‎10-10-2014

Hi,

Yes, that should do it for the DMZ part of the configuration

Are you saying that you have some other device in front of the ASA that possibly does the NAT then?

- Jouni

cciesec2011 · ‎10-10-2014

No I don't have other device in front of the ASA for NAT. I just don't want inside hosts to have access to the Internet.

I am also very aware of the "access-list dmz_in permit ip any any log" but this is a test lab so it really does not matter :-)

Thank you again. I will test it later today and let you know.

Jouni Forss · ‎10-10-2014

Ah Ok :)

If you want to read some more about the new NAT configuration format you could take a look a document I wrote in 2013

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Also a great document for you might be this one that compares the old and new NAT with configuration examples

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Hope this helps :)

- Jouni

Vibhor Amrodia · ‎10-10-2014

Hi,

object network inside-10.0.0.0/8

subnet 10.0.0.0 255.0.0.0

object network dmz-192.168.0.0/16

subnet 192.168.0.0 255.255.0.0

object network inside-10.0.0.0/8

nat (inside,outside) dynamic interface >>> Added this as i think you might have missed it.

object network dmz-192.168.0.0/16

nat (dmz,outside) dynamic interface

The Identity NAT statements are not needed:-

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

Access rules will remain the same.

Thanks and Regards,

Vibhor Amrodia

ASA code 9.2.2 configuration help