Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Config problem

Dear,
 

On pix i am having below commands in 8.2 version, Now i want to configure this commands on ASA 5525-x with IOS version 9.1 how can i configure this on ASA.

static (Inside,DMZ) 10.10.49.13  access-list Inside_nat_1
static (Inside,DMZ) 172.20.7.99  access-list Inside_nat_2


access-list Inside_nat_1 extended permit ip host 172.20.6.52 host 10.50.2.20
access-list Inside_nat_1 extended permit ip host 172.20.6.52 host 10.150.23.20
access-list Inside_nat_1 extended permit ip host 172.20.6.52 host 11.50.11.250
access-list Inside_nat_1 extended permit ip host 172.20.6.52 host 192.168.54.15
access-list Inside_nat_1 extended permit ip host 172.20.6.52 host 172.31.11.218

 

access-list Inside_nat_2 extended permit ip host 172.20.6.52 host 10.1.21.36
access-list Inside_nat_2 extended permit ip host 172.20.6.52 host 10.10.201.3
access-list Inside_nat_2 extended permit ip host 172.20.6.52 host 202.18.123.68
access-list Inside_nat_2 extended permit ip host 172.20.6.52 host 172.232.11.19
access-list Inside_nat_2 extended permit ip host 172.20.6.52 host 10.1.210.188

 

Please help on this.

Regards,

Jitesh MAHAJAN.

  • Firewalling
8 REPLIES
VIP Green

Those commands would be

Those commands would be translated to the following commands in 8.3 and higher.

object network HOST
  host 172.20.6.52

object network NAT1
  host 10.10.49.13

object network NAT2
  host 172.20.7.99

object-group network DEST1
  host 10.50.2.20
  host 10.150.23.20
  host 11.50.11.250
  host 192.168.54.15
  host 172.31.11.218

object-group network DEST2
  host 10.1.21.36
  host 10.10.201.3
  host 202.18.123.68
  host 172.232.11.19
  host 10.1.210.188

nat (inside,DMZ) source static HOST NAT1 destination static DEST1 DEST1

nat (inside,DMZ source static HOST NAT2 destination static DEST2 DEST2

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Dear Marius,Thanks for your

Dear Marius,

Thanks for your reply.

mean while i am searching on Cisco Document i have receive the below format can this is work in 9.1 IOS.

 

object network Inside_nat_1
 subnet 172.20.6.52 255.255.255.255
 nat (Inside,DMZ) dynamic 10.10.49.13
 exit

object network Inside_nat_2
 subnet 172.20.6.52 255.255.255.255
 nat (Inside,DMZ) dynamic 172.20.7.99
 exit

 

access-list Inside_nat_1 extended permit ip host 172.20.6.52 host 10.50.2.20
access-list Inside_nat_1 extended permit ip host 172.20.6.52 host 10.150.23.20
access-list Inside_nat_1 extended permit ip host 172.20.6.52 host 11.50.11.250
access-list Inside_nat_1 extended permit ip host 172.20.6.52 host 192.168.54.15
access-list Inside_nat_1 extended permit ip host 172.20.6.52 host 172.31.11.218

 

access-list Inside_nat_2 extended permit ip host 172.20.6.52 host 10.1.21.36
access-list Inside_nat_2 extended permit ip host 172.20.6.52 host 10.10.201.3
access-list Inside_nat_2 extended permit ip host 172.20.6.52 host 202.18.123.68
access-list Inside_nat_2 extended permit ip host 172.20.6.52 host 172.232.11.19
access-list Inside_nat_2 extended permit ip host 172.20.6.52 host 10.1.210.188

 

Regards,

Jitesh Mahajan.

VIP Green

No this will not work the way

No this will not work the way you want it to work.  The following:

object network Inside_nat_1
 subnet 172.20.6.52 255.255.255.255
 nat (Inside,DMZ) dynamic 10.10.49.13

Will only translate 172.20.6.52 to 10.10.49.13...not to mention the syntax is incorrect as well...you should be using static instead of dynamic in the NAT...also the object, though it will work the way you have it, it is better to use the host keyword instead of subnet.

You need to use the format I provided in the earlier post.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Dear Marius,Thanks for

Dear Marius,

Thanks for support,

I understand this.

i am also having same command:

old:
static (DMZ,Inside) 10.10.50.94 10.10.10.94 netmask 255.255.255.255
New:
object network obj-10.10.10.94
  host 10.10.50.94
  nat (DMZ,Inside) static 10.10.10.94

Can this will work?

Regards,

Jitesh Mahajan.

VIP Green

You have the IPs switched

You have the IPs switched around.  It should look like this:

object network obj-10.10.10.94
  host 10.10.10.94
  nat (DMZ,Inside) static 10.10.50.94

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
VIP Green

Thanks you for the rating

Thanks you for the rating smiley

-- Please remember to rate and select a correct answer
New Member

Dear Marius,below is the

Dear Marius,

below is the commands of  pix 8.2 ver. I was converted this commands in 9.1 Version Can this correct.

Version  8.2

global (Outside) 10 220.226.206.81 netmask 255.255.255.255
global (Outside) 11 220.226.206.231 netmask 255.255.255.255
global (DMZ) 51 172.100.1.1 netmask 255.255.255.255

nat (Inside) 51 access-list Inside_nat_outbound
nat (Inside) 10 access-list Inside_Ti_outbound
nat (DMZ) 11 10.10.52.114 255.255.255.255

access-list Inside_Ti_outbound extended permit icmp host 172.20.1.100 host 220.226.206.1
access-list Inside_Ti_outbound extended permit ip host 10.10.49.40 any
access-list Inside_Ti_outbound extended permit ip host 10.10.49.52 any

access-list Inside_nat_outbound extended permit tcp host 10.24.126.117 host 192.168.100.10 eq 9097
access-list Inside_nat_outbound extended permit tcp host 10.24.126.113 host 192.168.100.10 eq 9097
access-list Inside_nat_outbound extended permit tcp host 10.24.65.19 host 192.168.100.10 eq 9097 inactive

 

Version 9.1

object network DMZ-NAT
 subnet 10.10.52.114 255.255.255.255
 nat (Cust-DMZ,ECS-Outside) dynamic 220.226.206.231

object network INSIDE-51-1
 subnet 10.24.126.117 255.255.255.255
 nat (Inside,DMZ) dynamic 172.100.1.1

object network INSIDE-51-2
 subnet 10.24.126.113 255.255.255.255
 nat (Inside,DMZ) dynamic 172.100.1.1

object network INSIDE-51-3
 subnet 10.24.65.19 255.255.255.255
 nat (Inside,DMZ) dynamic 172.100.1.1
 
object network INSIDE-10-1
 subnet 172.20.1.100 255.255.255.255
 nat (Inside,Outside) dynamic 220.226.206.81

object network INSIDE-10-2
 subnet 10.10.49.40 255.255.255.255
 nat (Inside,Outside) dynamic 220.226.206.81

object network INSIDE-10-3
 subnet 10.10.49.52 255.255.255.255
 nat (Inside,Outside) dynamic 220.226.206.81

 

Regards,

Jitesh Mahajan.

 

VIP Green

The commands would be the

The commands would be the following.  please remember to make a backup of your current configuration so you are able to rollback in case this does not work.

object network obj_172_20_1_100
  host 172.20.1.100

object network obj_220_226_206_81
  host 10 220.226.206.81

object network obj_192_168_100_10
  host 192.168.100.10

object-group network Inside_Ti_outbound
  network-object host 10.10.49.40
  network-object host 10.10.49.52

object-group network Inside_nat_outbound
  network-object host 10.24.126.113
  network-object host 10.24.126.117
  network-object host 10.24.65.19

network object obj_220_226_206_1
  host 220.226.206.1

object network obj_172_100_1_1
  host 172.100.1.1

object-group network obj_10_10_52_114
  network-object host 10.10.52.114
  nat (DMZ,Outside) dynamic 220.226.206.231

object service 9097
  service tcp destination 9097

nat (inside,Outside) source static obj_172_20_1_100 obj_10_220_226_206_81 destination static obj_220_226_206_1 obj_220_226_206_1

nat (inside,Outside) source static Inside_Ti_outbound obj_220_226_206_81

nat (inside,DMZ) source static Inside_nat_outbound obj_172_100_1_1 destination static obj_192_168_100_10 obj_192_168_100_10 service 9097 9097

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
95
Views
15
Helpful
8
Replies