Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Upgrade NAT rules

Hi All,

 

Please correct me If I am wrong. I am upgrading from 8.0 to 8.4. 

One of my customer has nat rules in 8.0 as below

For all the access lists for below they used permit ip any any


nat (inside) 0 access-list xxxxx
nat (outside) 0 access-list xxxx outside
nat (outside100) 0 access-list xxxx outside

nat (inside) 12 0.0.0.0 0.0.0.0
global (outside) 12 interface

 

After the upgrade

I see the rules as below (omitted other rules)


1)nat (inside,any) source static any any no-proxy-arp route-lookup

2)object network obj_any
 subnet 0.0.0.0 0.0.0.0

object network obj_any
 nat (inside,outside) dynamic interface

1)According to my understanding, this rule "1" will be placed first(Section 1) and hence there will be no nat going on when the customer is going from inside interface to outside. Is that correct?

2)Can i safely remove all those rules like "1" since they are of no use as only NAT that should be happening is between inside and outside interface?

Ofcourse, I do not think the access list should be permit ip any any in the first case, but this is the customer current config.

 

Thanks for the advise.

 

 

 

 

 

 

 

 

Everyone's tags (1)
4 REPLIES

Hi Rakesh ,  nat (inside) 0

Hi Rakesh , 

 

nat (inside) 0 access-list xxxxx

For above NAT 0 statement , below is modified NAT rule  .

1)nat (inside,any) source static any any no-proxy-arp route-lookup

Check this NAT 0 statement is called on for any VPN Access or for Internal user Access .  If you haven't used any were you can remove this NAT statement . 

 

2)Can i safely remove all those rules like "1" since they are of no use as only NAT that should be happening is between inside and outside interface? : If you have only two interface on ASA appliance , then your statement is correct , if you have multiple interface this NAT 0  applicable for all interface on your ASA  for traffic originating from inside interface. 

 

Share me your ASA code 8.0 running config to check where NAT 0 statement is associated with any other access ..

 

HTH

Sandy 

 

New Member

Hi Sandy, Below is the config

Hi Sandy,

 

Below is the config in the old version.

 

Access-list is to match all.

nat (inside) 12 0.0.0.0 0.0.0.0
global (outside) 12 interface

nat (inside) 0 access-list xxxxx
nat (outside) 0 access-list xxxx outside

Don't they contradict each other. I feel the config is wrong as the access list be some defined addresses.

 

Please advise

 

Thanks

Hi nat (inside) 0 access-list

Hi 

nat (inside) 0 access-list xxxxx

 

What is your access-list xxxx ??

 

Can you share me your ASA config . 

 

HTH

Sandy

New Member

Hi Sandy, Sorry due to

Hi Sandy,

 

Sorry due to security issue I cannot share the config. 

 

Access list is permit ip any any.

 

Thanks

62
Views
0
Helpful
4
Replies
CreatePlease to create content