Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
319
Views
15
Helpful
6
Replies

Cleanup and convert from version 8.0(3) to 9.2x

burleyman
Level 8
Level 8

‎11-14-2014 11:18 AM - edited ‎03-11-2019 10:05 PM

I have the following config on an ASA ver 8.0.3 and please correct me if I am wrong but the line towards the bottom....

access-list 100 extended permit ip any 10.239.126.0 255.255.255.0

Basically covers everything so all the other lines could be omitted....correct?

nat (inside) 0 access-list 100

access-list 100 extended permit ip host 10.239.14.240 10.239.126.0 255.255.255.0
access-list 100 extended permit ip host 10.239.10.170 10.239.126.0 255.255.255.0
access-list 100 extended permit ip host 10.239.17.170 10.239.126.0 255.255.255.0
access-list 100 extended permit ip host 10.239.13.170 10.239.126.0 255.255.255.0
access-list 100 extended permit ip host 10.239.1.79 10.239.126.0 255.255.255.0
access-list 100 extended permit ip host 10.239.23.99 10.239.126.0 255.255.255.0
access-list 100 extended permit ip host 10.239.19.35 10.239.126.0 255.255.255.0
access-list 100 extended permit ip host 10.239.19.12 10.239.126.0 255.255.255.0
access-list 100 extended permit ip host 10.239.19.11 10.239.126.0 255.255.255.0
access-list 100 extended permit ip 10.239.1.0 255.255.255.0 10.239.126.0 255.255.255.0
access-list 100 extended permit ip host 10.239.23.11 10.239.126.0 255.255.255.0
access-list 100 extended permit ip 10.239.19.0 255.255.255.0 10.239.126.0 255.255.255.0
access-list 100 extended permit ip 10.239.0.0 255.255.0.0 10.239.126.0 255.255.255.0
access-list 100 extended permit ip host 10.239.23.240 10.239.126.0 255.255.255.0
access-list 100 extended permit ip host 10.239.23.242 10.239.126.0 255.255.255.0
access-list 100 extended permit ip host 10.239.23.241 10.239.126.0 255.255.255.0
access-list 100 extended permit ip any 10.239.126.0 255.255.255.0
access-list 100 extended permit ip 10.239.23.0 255.255.255.0 10.239.126.0 255.255.255.0
access-list 100 extended permit ip host 10.239.1.12 10.239.126.0 255.255.255.0
access-list 100 extended permit ip 10.239.17.0 255.255.255.0 10.239.126.0 255.255.255.0
access-list 100 extended permit ip host 10.239.1.9 10.239.126.0 255.255.255.0

 

 

Thanks

Mike

Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-14-2014 12:41 PM

That's correct. Looks like somebody got tired of adding the more specific entries and just stuck in the "any" rule and neglected to remove the ones that it supercedes.

The only reason I can think of for keeping the more specific ones would be if you're trying to track the number of hits on the access-list entries for them. Otherwise the single line you mentioned can be migrated.

Of course the syntax is a bit different in 8.3+.

burleyman
Level 8
Level 8
In response to Marvin Rhoads

‎11-14-2014 01:15 PM

Thank you. Now based on that I want to convert the following

Convert.....

nat (inside) 0 access-list 100

access-list 100 extended permit ip any 10.239.126.0 255.255.255.0
access-list 100 extended permit ip 10.239.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 100 extended permit ip 10.239.1.0 255.255.255.0 172.16.40.0 255.255.255.0


to this.......


object network NAT-10.239.126.0-24
 subnet 10.239.126.0 255.255.255.0

object network NAT-10.239.1.0-24
 subnet 10.239.1.0 255.255.255.0

object network NAT-192.168.10.0-24
 subnet 192.168.10.0 255.255.255.0

object network NAT-172.16.40.0-24
 subnet 172.16.40.0 255.255.255.0

nat (inside,outside) source dynamic any any destination static NAT-10.239.126.0-24 NAT-10.239.126.0-24
nat (inside,outside) source dynamic NAT-10.239.1.0-24 NAT-10.239.1.0-24 destination static NAT-192.168.10.0-24 NAT-192.168.10.0-24
nat (inside,outside) source dynamic NAT-10.239.1.0-24 NAT-10.239.1.0-24 destination static NAT-172.16.40.0-24 NAT-172.16.40.0-24

 

 

Would this be correct?

 

Mike

 

 

0 Helpful

Murali
Level 1
Level 1
In response to burleyman

‎11-15-2014 06:34 AM

Hello MIke,

In 8.0 you've configuration for no-nat this is because in 8.0 we can't disable nat control (nat is mandatory if you are going from inside to any interface) so we have use the mentioned config. But in the latest versions we don't have the concept of nat control.

 

burleyman
Level 8
Level 8
In response to Murali

‎11-17-2014 05:39 AM

Thanks.

So let me ask this. Based on the above original config and moving to 9.x do I need to carry over the config or should I leave it off and it will work as is?

 

Mike

0 Helpful

Murali
Level 1
Level 1
In response to burleyman

‎11-17-2014 06:10 AM

Yes only for the nat 0 configuration , you need not configure anything extra in latest code.

Thanks!

burleyman
Level 8
Level 8
In response to Murali

‎11-17-2014 06:31 AM

Thanks for all your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card