Solved: Re: Confusing with ASA 8.3 Setup

Boon Keat Gan · ‎02-06-2012

Dear All,

I have no come across with doing any PIX/ASA before. I have been assigned by my project manager to migrating the old PIX to new ASA.

I have read thru online guide on how to migrate PIX to ASA and don’t fully understand on the new setup work. And I had completed some of the command but I found it is weird. I need advised on this.

Static NAT

PIX:

static (inside,outside) 192.168.1.2 10.152.1.2 netmask 255.255.255.255 0 0

Question: Does this mean I am doing the NAT for outside to inside? Mean 192.168.1.2 traffic into 10.152.1.2?

ASA:

object network obj-10.152.1.2_outside-inside

host 10.152.1.2

object network obj-10.152.1.2_outside-inside

nat (inside,outside) static 192.168.1.2

The show NAT command shown:-

1 (inside) to (outside) source static obj-10.152.1.2_outside-inside 192.168.1.2

translate_hits = 0, untranslate_hits = 0

Question: I am define an traffic from outside to come inside, but the show nat command show (inside) to (outside), what does it really mean?

Dynamic NAT

PIX:-

global (outside) 2 192.168.1.2 netmask 255.255.255.224

nat (inside) 2 10.152.1.2 255.255.255.255 0 0

Question: the netmask 255.255.255.224 define here mean I will have a range for outside of 192.168.1.2 to 192.168.1.32? Abit confuse on this setup. Is this setting to allow traffic from inside to outside?

ASA:-

object network obj-10.152.1.2_inside-outside

host 10.152.1.2

object network obj-10.152.1.2_inside-outside

nat (Internal,Internet) dynamic 192.168.1.2

Question: is this traffic allow inside host to go outside for 10.152.1.2 to 192.168.1.2?

The show nat command shown:-

15 (inside) to (outside) source dynamic obj-10.152.1.2_inside-outside 192.168.1.2

translate_hits = 0, untranslate_hits = 0

Question: the command is showing (inside) to (outside) mean is the same as static NAT? I am abit confusing on how to see the show NAT? Does this mean if Static the from and to is revert? Mean if it mean (inside) to (outside) mean the traffic is from outside to inside?

Please advise me on this as I have struggle for few week. Thank you.

jyothydas · ‎02-07-2012

Static NAT

PIX:

static (inside,outside) 192.168.1.2 10.152.1.2 netmask 255.255.255.255 0 0

Question: Does this mean I am doing the NAT for outside to inside? Mean 192.168.1.2 traffic into 10.152.1.2?

Ans: No. This means 10.152.1.2 will be NATed to 192.168.1.2 at the outside interface.

ASA:

object network obj-10.152.1.2_outside-inside

host 10.152.1.2

object network obj-10.152.1.2_outside-inside

nat (inside,outside) static 192.168.1.2

The show NAT command shown:-

1 (inside) to (outside) source static obj-10.152.1.2_outside-inside 192.168.1.2

translate_hits = 0, untranslate_hits = 0

Question: I am define an traffic from outside to come inside, but the show nat command show (inside) to (outside), what does it really mean?

Ans: This is just NAT which looks correct.

I would suggest that you try out ASA verison below 8.3 ( 8.2.(2) etc) first and then get a hang of ASA and then goto 8.3/8.4.

View solution in original post

Maykol Rojas · ‎02-07-2012

Not quite,

the first one would do an static mapping between the IP address 10.152.1.2 to be seeing on the outside as 195.168.1.2, with the proper ACLS, traffic will flow from connections initiated both sides.

The seond one is using PAT, (port address translation) and that one will not allow inbound connections per se, only oubound.

Mike

View solution in original post

Julio Carvajal · ‎02-07-2012

Hello Boon,

On 8.2

static ( inside, outside) Mapped_Ip_Address Real_Ip_Address

static (inside,outside) 2.2.2.2 192.168.12.2

So you are saying to the ASA or Pix:

" Do nat the Real Ip address on the inside to the Mapped_ Ip address on the outside"

On 8.3

object network obj-10.152.1.2_inside-outside

host 10.152.1.2

object network obj-4.2.2.2

host 4.2.2.2

nat (inside,outside) source static Real_object_Network Mapped_object_Network

nat (inside,outside) source static obj-10.152.1.2_inside-outside obj-4.2.2.2

So you are saying to the ASA or Pix:

" Do nat the Real Ip address on the inside to the Mapped_ Ip address on the outside"

As you can see the structure on them is quite different, on 8.2 and older versions you need to place the global ip address first and then the real ip address into the static command, then on 8.3 and prior versions seems to be more organized as you do it as it supposed to be from the inside to the outside.

Now regarding the show nat function.

The ASA will tell you from where to where the translation is ocurring

1 (inside) to (outside) source static obj-10.152.1.2_outside-inside 192.168.1.2

" I am natting the inside host 10.50.1.2 on the outside to the host 192.168.1.2"

Regards,

Do rate all the helfpul posts!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

jyothydas · ‎02-07-2012

Static NAT

PIX:

static (inside,outside) 192.168.1.2 10.152.1.2 netmask 255.255.255.255 0 0

Question: Does this mean I am doing the NAT for outside to inside? Mean 192.168.1.2 traffic into 10.152.1.2?

Ans: No. This means 10.152.1.2 will be NATed to 192.168.1.2 at the outside interface.

ASA:

object network obj-10.152.1.2_outside-inside

host 10.152.1.2

object network obj-10.152.1.2_outside-inside

nat (inside,outside) static 192.168.1.2

The show NAT command shown:-

1 (inside) to (outside) source static obj-10.152.1.2_outside-inside 192.168.1.2

translate_hits = 0, untranslate_hits = 0

Question: I am define an traffic from outside to come inside, but the show nat command show (inside) to (outside), what does it really mean?

Ans: This is just NAT which looks correct.

I would suggest that you try out ASA verison below 8.3 ( 8.2.(2) etc) first and then get a hang of ASA and then goto 8.3/8.4.

Boon Keat Gan · ‎02-07-2012

Hi jyothydas,

Thanks for reply. Just wondering is there different btw lower version of 8.3 and 8.3?

1 (inside) to (outside) source static obj-10.152.1.2_outside-inside 192.168.1.2

15 (inside) to (outside) source dynamic obj-10.152.1.2_inside-outside 192.168.1.2

So, can i said that the above link are equaly same?

Maykol Rojas · ‎02-07-2012

Not quite,

the first one would do an static mapping between the IP address 10.152.1.2 to be seeing on the outside as 195.168.1.2, with the proper ACLS, traffic will flow from connections initiated both sides.

The seond one is using PAT, (port address translation) and that one will not allow inbound connections per se, only oubound.

Mike

Boon Keat Gan · ‎02-07-2012

Ok.

So to see the show nat function, we need to check on the static or dynamic instead of (where) to (where)?

1 (inside) to (outside) source static obj-10.152.1.2_outside-inside 192.168.1.2

15 (inside) to (outside) source dynamic obj-10.152.1.2_inside-outside 192.168.1.2

Julio Carvajal · ‎02-07-2012

Hello Boon,

On 8.2

static ( inside, outside) Mapped_Ip_Address Real_Ip_Address

static (inside,outside) 2.2.2.2 192.168.12.2

So you are saying to the ASA or Pix:

" Do nat the Real Ip address on the inside to the Mapped_ Ip address on the outside"

On 8.3

object network obj-10.152.1.2_inside-outside

host 10.152.1.2

object network obj-4.2.2.2

host 4.2.2.2

nat (inside,outside) source static Real_object_Network Mapped_object_Network

nat (inside,outside) source static obj-10.152.1.2_inside-outside obj-4.2.2.2

So you are saying to the ASA or Pix:

" Do nat the Real Ip address on the inside to the Mapped_ Ip address on the outside"

As you can see the structure on them is quite different, on 8.2 and older versions you need to place the global ip address first and then the real ip address into the static command, then on 8.3 and prior versions seems to be more organized as you do it as it supposed to be from the inside to the outside.

Now regarding the show nat function.

The ASA will tell you from where to where the translation is ocurring

1 (inside) to (outside) source static obj-10.152.1.2_outside-inside 192.168.1.2

" I am natting the inside host 10.50.1.2 on the outside to the host 192.168.1.2"

Regards,

Do rate all the helfpul posts!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Boon Keat Gan · ‎02-07-2012

Ok. Thanks all.

That make more clear now.

Julio Carvajal · ‎02-07-2012

Hello Boon,

Great to hear I could help!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC