11-18-2013 09:05 AM - edited 03-11-2019 08:06 PM
I currently have a Cisco ASA 5512 that I am configuring based off an old ASA. The ASA I am configuring is using IOS version 9.1.2 and ASMD version 7, the old ASA is using IOS 8.0 and ASDM 6.3. I was wonding how to translate their current NAT exemption statements to the new 9.1.2 statements:
nat (Private) 0 access-list Private_nat0_outbound
nat (management) 0 0.0.0.0 0.0.0.0
How would this look in IOS version 9.1.2
Thanks!
Solved! Go to Solution.
11-18-2013 09:25 AM
Hi,
For that the configuration would be
object network SOURCE
subnet 136.223.0.0 255.255.240.0
object-group network DESTINATION
network-object 136.223.16.0 255.255.248.0
network-object 141.254.0.0 255.255.0.0
nat (Private,
You should add the destination interface to the above configuration. This you can determine according to the current routing table.
You can naturally change the "object" and "object-group" name to better describe the networks. I just used simple names to describe their use.
Again, I am not sure about the "management". You might not need any "nat" configurations for it if it doesnt have any other configurations in the old configuration than the one mentioned above.
- Jouni
11-18-2013 09:11 AM
Hi,
Without seeing the actual "access-list" used in the configuration we can't give an exact answer.
The general format is this
object network SOURCE
subnet
object network DESTINATION
subnet
nat (sourceint,destint) source static SOURCE SOURCE destination static DESTINATION DESTINATION
Is the interface "management" NAT configuration above the only NAT configuration for that interface? If so you most likely wont need any NAT configurations in the new software for that interface.
Hope this helps
- Jouni
11-18-2013 09:18 AM
My apologies Jouni, here is a bit more information that might help with this question:
access-list Private_nat0_outbound extended permit ip 136.223.0.0 255.255.240.0 136.223.16.0 255.255.248.0
access-list Private_nat0_outbound extended permit ip 136.223.0.0 255.255.240.0 141.254.0.0 255.255.0.0
nat (Private) 0 access-list Private_nat0_outbound
nat (management) 0 0.0.0.0 0.0.0.0
11-18-2013 09:25 AM
Hi,
For that the configuration would be
object network SOURCE
subnet 136.223.0.0 255.255.240.0
object-group network DESTINATION
network-object 136.223.16.0 255.255.248.0
network-object 141.254.0.0 255.255.0.0
nat (Private,
You should add the destination interface to the above configuration. This you can determine according to the current routing table.
You can naturally change the "object" and "object-group" name to better describe the networks. I just used simple names to describe their use.
Again, I am not sure about the "management". You might not need any "nat" configurations for it if it doesnt have any other configurations in the old configuration than the one mentioned above.
- Jouni
11-18-2013 09:34 AM
Jouni,
Thank you very much for the information, the configuration that you stated above worked. As far as management goes, I remember with 9.1.2 I do not have to specifiy "management" NAT statement. I know how to do this now on future statements when configuring NAT. Thanks for your help!
11-18-2013 09:36 AM
Hi,
Glad to hear it worked
- Jouni
11-26-2015 04:05 AM
I know this is quite old but i ran into the same problem and i think i should post my resolution as found on this this link
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#pgfId-1176608
It says "NAT is not required. If you do not configure NAT for a given set of traffic, that traffic will not be translated, but will have all of the security policies applied as normal"
I think this feature starts from 9.1
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: