Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1009
Views
0
Helpful
8
Replies

cisco asa 8.3 migrated cmds

secureIT
Level 4
Level 4

‎09-08-2010 02:54 AM - edited ‎03-11-2019 11:36 AM

Hi support,

Im struck up with few cmds in 8.3 while migrated from 8.2;

could you pls let me know how would i convert the below to 8.3 version..

nat (server) 0 access-list nat-server

access-list nat-server extended deny ip object-group A-NETWORK object-group B-NETWORK

----------

I have done it for the allowed ACL in NAT but not able to find it for the denied one...

For Example---Below is the right one.

8.2version

nat (server) 0 access-list nat-server

access-list nat-server extended permit ip object-group GSMC-FORD-SUBNET 172.x.x.0 255.255.255.0

8.3version

object network obj-172.x.x.0

                subnet 172.x.x.0 255.255.255.0

nat (server,any) source static A-NETWORK A-NETWORK destination static obj-172.x.x.0 obj-172.x.x.0

Labels:
0 Helpful
8 Replies 8

mirober2
Cisco Employee
Cisco Employee

‎09-08-2010 05:24 AM

Hi Rajesh,

The 8.3 version of your NAT exemption will look something like this (be sure to adjust variables in <>):

object network obj-172.x.x.0
  subnet 172.x.x.0 255.255.255.0
!
object network GSMC-FORD-SUBNET
  subnet  
!
nat (server,) source static GSMC-FORD-SUBNET GSMC-FORD-SUBNET destination static obj-172.x.x.0 obj-172.x.x.0

That config should go at the top of the manual NAT section (section 1).

Hope that helps.

-Mike

0 Helpful

secureIT
Level 4
Level 4
In response to mirober2

‎09-08-2010 05:41 AM

Thanks Mike for the help...


I am agreed with the below config
OLD CONFIG....
nat (server) 0 access-list nat-server
access-list nat-server extended permit ip object-group A-NETWORK 172.x.x.0 255.255.255.0

MIGRATED TO...
object network obj-172.x.x.0
                subnet 172.x.x.0 255.255.255.0
nat (server,any) source static A-NETWORK A-NETWORK destination static obj-172.x.x.0 obj-172.x.x.0


But my query is what would be the below deny ACL converted to ???
OLD CONFIG....
nat (server) 0 access-list nat-server
access-list nat-server extended deny ip object-group A-NETWORK 172.x.x.0 255.255.255.0

MIGRATED TO....

Will permit & deny have same configuration after migration???

thanks in advance...

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to secureIT

‎09-08-2010 05:52 AM

Hi Rajesh,

Sorry I missed that. Since we don't use access-lists for NAT in 8.3, you'll need to make sure that your NAT statements don't match the traffic that would have been a "deny" ACE in pre-8.3. As long as the traffic doesn't match the NAT line, it won't follow that translation--this is the 8.3 equivalent of the "deny" ACE.

For example, if you have a 192.168.0.x/24 subnet, but you don't want to NAT exempt the host at 192.168.0.100, you need to use 2 different NAT statements that will exclude the host at 192.168.0.100--one line will match 192.168.0.1 through 192.168.0.99 and one will match 192.168.0.101 through 192.168.0.254. You can use objects with the range keyword to accomplish this:

object network hosts1
  range 192.168.0.1 192.168.0.99
!
object network hosts2
  range 192.168.0.101 192.168.0.254

Hope that helps.

-Mike

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to secureIT

‎09-08-2010 06:00 AM

Hi,

In 8.2 and prior versions, there was a NAT order of operation and in that nat exemption came before anything else. I guess the deny ACL you had was the traffic you did not want to get exempted from NAT.

In 8.3, the NAT order of operation is only based on a NAT table. The order is Manual NAT, Auto NAT and then After-Auto NAT. Now in such a case, i dont think you need to bother about the deny ACLs in the nat exemption.

If you could tell your exact requirement, then i can comment what can be done on 8.3 for that.

regards,

Prapanch

0 Helpful

secureIT
Level 4
Level 4
In response to praprama

‎09-08-2010 06:37 AM

Hi,

My part of the config is given in the attached file..

when i tried to do a 8.3 update, the deny ACE turned as given below, but not sure if it really work or not, hence i reverted to the older version 8.2.

Now before i do it again, would like to confirm the same..

old

nat (server) 0 access-list nat-server

access-list nat-server extended deny ip host 10.16.41.7 any

new

nat (server,server) source static obj-10.16.41.7 obj-10.16.41.7 unidirectional

71738-netpro.txt.zip
0 Helpful

secureIT
Level 4
Level 4
In response to praprama

‎09-10-2010 10:03 PM

Hi,

I have attached the exact 8.2 config..pls check and let me know...

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to secureIT

‎09-11-2010 12:34 AM

.

Message was edited by: Nagaraja Thanthry

0 Helpful

omar.elmohri
Level 1
Level 1

‎09-12-2010 09:55 PM

Hi,

You may check this link: https://supportforums.cisco.com/docs/DOC-12690

I could fix NAT problem with this.

Regards,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card