Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA code 9.2.2 configuration help

hi guys,

I need help really bad here :-(

 

inside network:  10.0.0.0/8, 172.16.0.0/16
dmz network: 192.168.0.0/16
outside network:  4.2.2.2/30 (ISP router is 4.2.2.2/30) and Internet

currently in my 8.2.4(5) ASA code I have:

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
nat (dmz) 1 192.168.0.0 255.255.0.0
global (outside) 1 interface

access-list inside_in permit ip any any log
access-list dmz_in permit ip any any log
access-list outside_in permit icmp any any log
access-list outside_in deny ip any any log

access-group inside_in interface inside in
access-group dmz_in interface dmz in
access-group outiside_in interface dmz in


How do I convert this configuration into ASA version 9.2.2?


Man thanks in advance.

 

6 REPLIES
Super Bronze

Hi, It seems to me that you

Hi,

 

It seems to me that you might have not attached all the configurations? I dont see any Dynamic PAT configuration for your "inside" interface there.

 

But here is how you can configure the NAT configurations in your new ASA software (if you want to use the above large networks/subnets)

 

object-group network PAT-SOURCE
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.255.0.0
 network-object 192.168.0.0 255.255.0.0

 

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

 

You won' need any replacing configurations for the "static" commands as they are just Static Identity NAT configurations which you wont need in the new software.

 

The ACLs you can keep the same BUT I am not sure if they are configured the best way. For example the DMZ is not really a DMZ if you allow all traffic behind it to any internal networks also. But the mentioned configurations remain unchanged between these versions.

 

I would like to point out though there is a major change in the ACLs with regards to NATed IP address. In any software level 8.3+ you will have to allow traffic towards the real IP address always, NOT the NAT IP address as you might be used to in the software levels 8.2 (and below)

 

Hope this helps :)

 

- Jouni

New Member

thank you.  I do NOT want to

thank you.  I do NOT want to dynamic "hide" NAT anything from "inside" out to the Internet  Does it mean my configuration will look like this:

 

object-group network PAT-SOURCE
 network-object 192.168.0.0 255.255.0.0

 

nat (dmz,outside) after-auto source dynamic PAT-SOURCE interface

Super Bronze

Hi, Yes, that should do it

Hi,

 

Yes, that should do it for the DMZ part of the configuration

 

Are you saying that you have some other device in front of the ASA that possibly does the NAT then?

 

- Jouni

New Member

No I don't have other device

No I don't have other device in front of the ASA for NAT.  I just don't want inside hosts to have access to the Internet.

I am also very aware of the "access-list dmz_in permit ip any any log" but this is a test lab so it really does not matter :-)

 

Thank you again.  I will test it later today and let you know.

Super Bronze

Ah Ok :) If you want to read

Ah Ok :)

 

If you want to read some more about the new NAT configuration format you could take a look a document I wrote in 2013

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

 

Also a great document for you might be this one that compares the old and new NAT with configuration examples

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

 

Hope this helps :)

 

- Jouni

 

Cisco Employee

Hi,object network inside-10.0

Hi,

object network inside-10.0.0.0/8

subnet 10.0.0.0 255.0.0.0

object network dmz-192.168.0.0/16

subnet 192.168.0.0 255.255.0.0

object network inside-10.0.0.0/8

nat (inside,outside) dynamic interface  >>> Added this as i think you might have missed it.

object network dmz-192.168.0.0/16

nat (dmz,outside) dynamic interface

The Identity NAT statements are not needed:-

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

Access rules will remain the same.

Thanks and Regards,

Vibhor Amrodia

805
Views
0
Helpful
6
Replies
CreatePlease login to create content