02-06-2012 08:25 PM - edited 03-11-2019 03:24 PM
Dear All,
I have no come across with doing any PIX/ASA before. I have been assigned by my project manager to migrating the old PIX to new ASA.
I have read thru online guide on how to migrate PIX to ASA and don’t fully understand on the new setup work. And I had completed some of the command but I found it is weird. I need advised on this.
Static NAT
PIX:
static (inside,outside) 192.168.1.2 10.152.1.2 netmask 255.255.255.255 0 0
Question: Does this mean I am doing the NAT for outside to inside? Mean 192.168.1.2 traffic into 10.152.1.2?
ASA:
object network obj-10.152.1.2_outside-inside
host 10.152.1.2
object network obj-10.152.1.2_outside-inside
nat (inside,outside) static 192.168.1.2
The show NAT command shown:-
1 (inside) to (outside) source static obj-10.152.1.2_outside-inside 192.168.1.2
translate_hits = 0, untranslate_hits = 0
Question: I am define an traffic from outside to come inside, but the show nat command show (inside) to (outside), what does it really mean?
Dynamic NAT
PIX:-
global (outside) 2 192.168.1.2 netmask 255.255.255.224
nat (inside) 2 10.152.1.2 255.255.255.255 0 0
Question: the netmask 255.255.255.224 define here mean I will have a range for outside of 192.168.1.2 to 192.168.1.32? Abit confuse on this setup. Is this setting to allow traffic from inside to outside?
ASA:-
object network obj-10.152.1.2_inside-outside
host 10.152.1.2
object network obj-10.152.1.2_inside-outside
nat (Internal,Internet) dynamic 192.168.1.2
Question: is this traffic allow inside host to go outside for 10.152.1.2 to 192.168.1.2?
The show nat command shown:-
15 (inside) to (outside) source dynamic obj-10.152.1.2_inside-outside 192.168.1.2
translate_hits = 0, untranslate_hits = 0
Question: the command is showing (inside) to (outside) mean is the same as static NAT? I am abit confusing on how to see the show NAT? Does this mean if Static the from and to is revert? Mean if it mean (inside) to (outside) mean the traffic is from outside to inside?
Please advise me on this as I have struggle for few week. Thank you.
Solved! Go to Solution.
02-07-2012 12:32 AM
Static NAT
PIX:
static (inside,outside) 192.168.1.2 10.152.1.2 netmask 255.255.255.255 0 0
Question: Does this mean I am doing the NAT for outside to inside? Mean 192.168.1.2 traffic into 10.152.1.2?
Ans: No. This means 10.152.1.2 will be NATed to 192.168.1.2 at the outside interface.
ASA:
object network obj-10.152.1.2_outside-inside
host 10.152.1.2
object network obj-10.152.1.2_outside-inside
nat (inside,outside) static 192.168.1.2
The show NAT command shown:-
1 (inside) to (outside) source static obj-10.152.1.2_outside-inside 192.168.1.2
translate_hits = 0, untranslate_hits = 0
Question: I am define an traffic from outside to come inside, but the show nat command show (inside) to (outside), what does it really mean?
Ans: This is just NAT which looks correct.
I would suggest that you try out ASA verison below 8.3 ( 8.2.(2) etc) first and then get a hang of ASA and then goto 8.3/8.4.
02-07-2012 06:49 AM
Not quite,
the first one would do an static mapping between the IP address 10.152.1.2 to be seeing on the outside as 195.168.1.2, with the proper ACLS, traffic will flow from connections initiated both sides.
The seond one is using PAT, (port address translation) and that one will not allow inbound connections per se, only oubound.
Mike
02-07-2012 06:17 PM
Hello Boon,
On 8.2
static ( inside, outside) Mapped_Ip_Address Real_Ip_Address
static (inside,outside) 2.2.2.2 192.168.12.2
So you are saying to the ASA or Pix:
" Do nat the Real Ip address on the inside to the Mapped_ Ip address on the outside"
On 8.3
object network obj-10.152.1.2_inside-outside
host 10.152.1.2
object network obj-4.2.2.2
host 4.2.2.2
nat (inside,outside) source static Real_object_Network Mapped_object_Network
nat (inside,outside) source static obj-10.152.1.2_inside-outside obj-4.2.2.2
So you are saying to the ASA or Pix:
" Do nat the Real Ip address on the inside to the Mapped_ Ip address on the outside"
As you can see the structure on them is quite different, on 8.2 and older versions you need to place the global ip address first and then the real ip address into the static command, then on 8.3 and prior versions seems to be more organized as you do it as it supposed to be from the inside to the outside.
Now regarding the show nat function.
The ASA will tell you from where to where the translation is ocurring
1 (inside) to (outside) source static obj-10.152.1.2_outside-inside 192.168.1.2
" I am natting the inside host 10.50.1.2 on the outside to the host 192.168.1.2"
Regards,
Do rate all the helfpul posts!!
Julio
02-07-2012 12:32 AM
Static NAT
PIX:
static (inside,outside) 192.168.1.2 10.152.1.2 netmask 255.255.255.255 0 0
Question: Does this mean I am doing the NAT for outside to inside? Mean 192.168.1.2 traffic into 10.152.1.2?
Ans: No. This means 10.152.1.2 will be NATed to 192.168.1.2 at the outside interface.
ASA:
object network obj-10.152.1.2_outside-inside
host 10.152.1.2
object network obj-10.152.1.2_outside-inside
nat (inside,outside) static 192.168.1.2
The show NAT command shown:-
1 (inside) to (outside) source static obj-10.152.1.2_outside-inside 192.168.1.2
translate_hits = 0, untranslate_hits = 0
Question: I am define an traffic from outside to come inside, but the show nat command show (inside) to (outside), what does it really mean?
Ans: This is just NAT which looks correct.
I would suggest that you try out ASA verison below 8.3 ( 8.2.(2) etc) first and then get a hang of ASA and then goto 8.3/8.4.
02-07-2012 02:21 AM
Hi jyothydas,
Thanks for reply. Just wondering is there different btw lower version of 8.3 and 8.3?
1 (inside) to (outside) source static obj-10.152.1.2_outside-inside 192.168.1.2
15 (inside) to (outside) source dynamic obj-10.152.1.2_inside-outside 192.168.1.2
So, can i said that the above link are equaly same?
02-07-2012 06:49 AM
Not quite,
the first one would do an static mapping between the IP address 10.152.1.2 to be seeing on the outside as 195.168.1.2, with the proper ACLS, traffic will flow from connections initiated both sides.
The seond one is using PAT, (port address translation) and that one will not allow inbound connections per se, only oubound.
Mike
02-07-2012 05:55 PM
Ok.
So to see the show nat function, we need to check on the static or dynamic instead of (where) to (where)?
1 (inside) to (outside) source static obj-10.152.1.2_outside-inside 192.168.1.2
15 (inside) to (outside) source dynamic obj-10.152.1.2_inside-outside 192.168.1.2
02-07-2012 06:17 PM
Hello Boon,
On 8.2
static ( inside, outside) Mapped_Ip_Address Real_Ip_Address
static (inside,outside) 2.2.2.2 192.168.12.2
So you are saying to the ASA or Pix:
" Do nat the Real Ip address on the inside to the Mapped_ Ip address on the outside"
On 8.3
object network obj-10.152.1.2_inside-outside
host 10.152.1.2
object network obj-4.2.2.2
host 4.2.2.2
nat (inside,outside) source static Real_object_Network Mapped_object_Network
nat (inside,outside) source static obj-10.152.1.2_inside-outside obj-4.2.2.2
So you are saying to the ASA or Pix:
" Do nat the Real Ip address on the inside to the Mapped_ Ip address on the outside"
As you can see the structure on them is quite different, on 8.2 and older versions you need to place the global ip address first and then the real ip address into the static command, then on 8.3 and prior versions seems to be more organized as you do it as it supposed to be from the inside to the outside.
Now regarding the show nat function.
The ASA will tell you from where to where the translation is ocurring
1 (inside) to (outside) source static obj-10.152.1.2_outside-inside 192.168.1.2
" I am natting the inside host 10.50.1.2 on the outside to the host 192.168.1.2"
Regards,
Do rate all the helfpul posts!!
Julio
02-07-2012 06:26 PM
Ok. Thanks all.
That make more clear now.
02-07-2012 06:29 PM
Hello Boon,
Great to hear I could help!
Regards,
Julio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: