10-10-2014 03:38 AM - edited 03-11-2019 09:54 PM
hi guys,
I need help really bad here :-(
inside network: 10.0.0.0/8, 172.16.0.0/16
dmz network: 192.168.0.0/16
outside network: 4.2.2.2/30 (ISP router is 4.2.2.2/30) and Internet
currently in my 8.2.4(5) ASA code I have:
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
nat (dmz) 1 192.168.0.0 255.255.0.0
global (outside) 1 interface
access-list inside_in permit ip any any log
access-list dmz_in permit ip any any log
access-list outside_in permit icmp any any log
access-list outside_in deny ip any any log
access-group inside_in interface inside in
access-group dmz_in interface dmz in
access-group outiside_in interface dmz in
How do I convert this configuration into ASA version 9.2.2?
Man thanks in advance.
10-10-2014 03:58 AM
Hi,
It seems to me that you might have not attached all the configurations? I dont see any Dynamic PAT configuration for your "inside" interface there.
But here is how you can configure the NAT configurations in your new ASA software (if you want to use the above large networks/subnets)
object-group network PAT-SOURCE
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0
nat (any,outside) after-auto source dynamic PAT-SOURCE interface
You won' need any replacing configurations for the "static" commands as they are just Static Identity NAT configurations which you wont need in the new software.
The ACLs you can keep the same BUT I am not sure if they are configured the best way. For example the DMZ is not really a DMZ if you allow all traffic behind it to any internal networks also. But the mentioned configurations remain unchanged between these versions.
I would like to point out though there is a major change in the ACLs with regards to NATed IP address. In any software level 8.3+ you will have to allow traffic towards the real IP address always, NOT the NAT IP address as you might be used to in the software levels 8.2 (and below)
Hope this helps :)
- Jouni
10-10-2014 04:01 AM
thank you. I do NOT want to dynamic "hide" NAT anything from "inside" out to the Internet Does it mean my configuration will look like this:
object-group network PAT-SOURCE
network-object 192.168.0.0 255.255.0.0
nat (dmz,outside) after-auto source dynamic PAT-SOURCE interface
10-10-2014 04:06 AM
Hi,
Yes, that should do it for the DMZ part of the configuration
Are you saying that you have some other device in front of the ASA that possibly does the NAT then?
- Jouni
10-10-2014 04:49 AM
No I don't have other device in front of the ASA for NAT. I just don't want inside hosts to have access to the Internet.
I am also very aware of the "access-list dmz_in permit ip any any log" but this is a test lab so it really does not matter :-)
Thank you again. I will test it later today and let you know.
10-10-2014 04:54 AM
Ah Ok :)
If you want to read some more about the new NAT configuration format you could take a look a document I wrote in 2013
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Also a great document for you might be this one that compares the old and new NAT with configuration examples
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
Hope this helps :)
- Jouni
10-10-2014 04:02 AM
Hi,
object network inside-10.0.0.0/8
subnet 10.0.0.0 255.0.0.0
object network dmz-192.168.0.0/16
subnet 192.168.0.0 255.255.0.0
object network inside-10.0.0.0/8
nat (inside,outside) dynamic interface >>> Added this as i think you might have missed it.
object network dmz-192.168.0.0/16
nat (dmz,outside) dynamic interface
The Identity NAT statements are not needed:-
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
Access rules will remain the same.
Thanks and Regards,
Vibhor Amrodia
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: