Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA 5512 IOS 9.1 NAT exemption translation from IOS 8.0

I currently have a Cisco ASA 5512 that I am configuring based off an old ASA. The ASA I am configuring is using IOS version 9.1.2 and ASMD version 7, the old ASA is using IOS 8.0 and ASDM 6.3. I was wonding how to translate their current NAT exemption statements to the new 9.1.2 statements:

nat (Private) 0 access-list Private_nat0_outbound

nat (management) 0 0.0.0.0 0.0.0.0

How would this look in IOS version 9.1.2

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Cisco ASA 5512 IOS 9.1 NAT exemption translation from IOS 8.

Hi,

For that the configuration would be

object network SOURCE

subnet 136.223.0.0 255.255.240.0

object-group network DESTINATION

network-object 136.223.16.0 255.255.248.0

network-object 141.254.0.0 255.255.0.0

nat (Private,) source static SOURCE SOURCE destination static DESTINATION DESTINATION

You should add the destination interface to the above configuration. This you can determine according to the current routing table.

You can naturally change the "object" and "object-group" name to better describe the networks. I just used simple names to describe their use.

Again, I am not sure about the "management". You might not need any "nat" configurations for it if it doesnt have any other configurations in the old configuration than the one mentioned above.

- Jouni

6 REPLIES
Super Bronze

Re: Cisco ASA 5512 IOS 9.1 NAT exemption translation from IOS 8.

Hi,

Without seeing the actual "access-list" used in the configuration we can't give an exact answer.

The general format is this

object network SOURCE

subnet

object network DESTINATION

subnet

nat (sourceint,destint) source static SOURCE SOURCE destination static DESTINATION DESTINATION

Is the interface "management" NAT configuration above the only NAT configuration for that interface? If so you most likely wont need any NAT configurations in the new software for that interface.

Hope this helps

- Jouni

New Member

Cisco ASA 5512 IOS 9.1 NAT exemption translation from IOS 8.0

My apologies Jouni, here is a bit more information that might help with this question:

access-list Private_nat0_outbound extended permit ip 136.223.0.0 255.255.240.0 136.223.16.0 255.255.248.0

access-list Private_nat0_outbound extended permit ip 136.223.0.0 255.255.240.0 141.254.0.0 255.255.0.0

nat (Private) 0 access-list Private_nat0_outbound

nat (management) 0 0.0.0.0 0.0.0.0

Super Bronze

Re: Cisco ASA 5512 IOS 9.1 NAT exemption translation from IOS 8.

Hi,

For that the configuration would be

object network SOURCE

subnet 136.223.0.0 255.255.240.0

object-group network DESTINATION

network-object 136.223.16.0 255.255.248.0

network-object 141.254.0.0 255.255.0.0

nat (Private,) source static SOURCE SOURCE destination static DESTINATION DESTINATION

You should add the destination interface to the above configuration. This you can determine according to the current routing table.

You can naturally change the "object" and "object-group" name to better describe the networks. I just used simple names to describe their use.

Again, I am not sure about the "management". You might not need any "nat" configurations for it if it doesnt have any other configurations in the old configuration than the one mentioned above.

- Jouni

New Member

Re: Cisco ASA 5512 IOS 9.1 NAT exemption translation from IOS 8.

Jouni,

Thank you very much for the information, the configuration that you stated above worked. As far as management goes, I remember with 9.1.2 I do not have to specifiy "management" NAT statement. I know how to do this now on future statements when configuring NAT. Thanks for your help!

Super Bronze

Cisco ASA 5512 IOS 9.1 NAT exemption translation from IOS 8.0

Hi,

Glad to hear it worked

- Jouni

New Member

I know this is quite old but

I know this is quite old but i ran into the same problem and i think i should post my resolution as found on this this link

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#pgfId-1176608

It says "NAT is not required. If you do not configure NAT for a given set of traffic, that traffic will not be translated, but will have all of the security policies applied as normal"

I think this feature starts from 9.1

965
Views
4
Helpful
6
Replies
CreatePlease login to create content