cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
907
Views
0
Helpful
16
Replies

FWSM Static nat conversion to ASA SM 9.0.3 converion help

jain.nitin
Level 3
Level 3

Hi, can any one tell me below conversion is correct or no, I tried conversion tool but it did not convert any static/global/nat command for us. so I am converting it manually.

Entry in FWSM

1

static (BACKUP,MARS-NW) 172.18.12.39 172.18.12.39 netmask 255.255.255.255

2

static (BACKUP,UNIX-MT-MGMT) 172.18.108.21 172.18.12.10 netmask 255.255.255.255

static (BACKUP,Microsoft-MT-MGMT) 172.18.124.52 172.18.12.10 netmask 255.255.255.255

static (BACKUP,Microsoft-FE-MGMT) 172.18.122.52 172.18.12.10 netmask 255.255.255.255

Entry which is going to be configured in ASA SM

1
object network obj20-172.18.12.39
host 172.18.12.39
nat (BACKUP,MARS-NW) source static obj20-172.18.12.39 obj20-172.18.12.39

2

object network obj1-172.18.12.10
host 172.18.12.10
nat (BACKUP,UNIX-MT-MGMT) static 172.18.108.21
nat (BACKUP,Microsoft-MT-MGMT) static 172.18.124.52
nat (BACKUP,Microsoft-FE-MGMT) static 172.18.122.52
 

 

2 Accepted Solutions

Accepted Solutions

object network obj20-172.18.12.39
host 172.18.12.39
nat (BACKUP,MARS-NW) source static obj20-172.18.12.39 obj20-172.18.12.39

What is the purpose of this NAT statement, is it for a VPN connection?

object network obj1-172.18.12.10
host 172.18.12.10
nat (BACKUP,UNIX-MT-MGMT) static 172.18.108.21
nat (BACKUP,Microsoft-MT-MGMT) static 172.18.124.52
nat (BACKUP,Microsoft-FE-MGMT) static 172.18.122.52

As far as I know this will not work.  You will need a seperate object for each NAT statement. Each NAT statement you enter will overwrite the previous statement. So you would need to do the following...for example:

object network obj1-172.18.12.10-1
  host 172.18.12.10
  nat (BACKUP,UNIX-MT-MGMT) static 172.18.108.21

object network obj1-172.18.12.10-2
  host 172.18.12.10
  nat (BACKUP,Microsoft-MT-MGMT) static 172.18.124.52


object network obj1-172.18.12.10-3
  host 172.18.12.10
  nat (BACKUP,Microsoft-FE-MGMT) static 172.18.122.52

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Well, then I would say that NAT statement is not needed.  Previously, when NAT control was used you would need a NAT statement to allow traffic between interfaces, but as of 8.2 NAT control has been disabled by default and as of 8.4 NAT control has been removed completely.  So unless there is another NAT statement present for that interface which will translate the 172.18.12.39 address, you do not need that statement to maintain the source address.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

16 Replies 16

object network obj20-172.18.12.39
host 172.18.12.39
nat (BACKUP,MARS-NW) source static obj20-172.18.12.39 obj20-172.18.12.39

What is the purpose of this NAT statement, is it for a VPN connection?

object network obj1-172.18.12.10
host 172.18.12.10
nat (BACKUP,UNIX-MT-MGMT) static 172.18.108.21
nat (BACKUP,Microsoft-MT-MGMT) static 172.18.124.52
nat (BACKUP,Microsoft-FE-MGMT) static 172.18.122.52

As far as I know this will not work.  You will need a seperate object for each NAT statement. Each NAT statement you enter will overwrite the previous statement. So you would need to do the following...for example:

object network obj1-172.18.12.10-1
  host 172.18.12.10
  nat (BACKUP,UNIX-MT-MGMT) static 172.18.108.21

object network obj1-172.18.12.10-2
  host 172.18.12.10
  nat (BACKUP,Microsoft-MT-MGMT) static 172.18.124.52


object network obj1-172.18.12.10-3
  host 172.18.12.10
  nat (BACKUP,Microsoft-FE-MGMT) static 172.18.122.52

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hi Thanks for quick reply. First NAT is for sending source as it is between these interfaces.

means 172.18.12.39 which belong to BACKUP zone should not be natted when communicating to MARS_NW zone.

means 172.18.12.39 which belong to BACKUP zone should not be natted when communicating to MARS_NW zone.

Is there already a NAT statement that NATs traffic between these two interfaces? and you don't want the 172.18 address to be NATed?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

I dont see any NAT/Global command for BACKUP & MARS_NW zone, only static command is there which I mentioned in my first post.

 

Well, then I would say that NAT statement is not needed.  Previously, when NAT control was used you would need a NAT statement to allow traffic between interfaces, but as of 8.2 NAT control has been disabled by default and as of 8.4 NAT control has been removed completely.  So unless there is another NAT statement present for that interface which will translate the 172.18.12.39 address, you do not need that statement to maintain the source address.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Thank you for the rating smiley

--
Please remember to select a correct answer and rate helpful posts

Awesome....so it means all same type of Static NAT I can simply ignore instead of converting them...right?

 

Can you help me with below also...I need just idea how do I convert it for ASA SM. Below entries are in FWSM, Migration tool cant not convert it ???? any idea ? any tool which can convert these entries

global (UNIX-FE-MGMT) 1 172.18.106.254 netmask 255.255.255.255
global (UNIX-MT-MGMT) 1 172.18.108.254 netmask 255.255.255.255
global (UNIX-MT-MGMT) 2 172.18.110.166 netmask 255.0.0.0
global (UNIX-MT-MGMT) 5 172.18.108.236 netmask 255.0.0.0
global (UNIX-MT-MGMT) 12 172.18.108.175 netmask 255.255.255.255
global (UNIX-MT-MGMT) 13 172.18.108.127 netmask 255.0.0.0
global (UNIX-MT-MGMT) 161 172.18.108.161 netmask 255.255.255.255
global (UNIX-MT-MGMT) 108 172.18.108.106 netmask 255.0.0.0
global (UNIX-MT-MGMT) 12 172.18.110.175 netmask 255.0.0.0
global (Microsoft-FE-MGMT) 3 172.18.122.254 netmask 255.255.255.255
global (Microsoft-FE-MGMT) 11 172.18.122.221 netmask 255.0.0.0
global (Microsoft-FE-MGMT) 1 172.18.122.64 netmask 255.0.0.0
global (Microsoft-MT-MGMT) 1 172.18.124.252 netmask 255.255.0.0
global (Microsoft-MT-MGMT) 3 172.18.124.254 netmask 255.255.255.255
global (Microsoft-MT-MGMT) 4 172.18.124.233 netmask 255.255.255.255
global (Microsoft-MT-MGMT) 10 172.18.124.144 netmask 255.0.0.0
global (Microsoft-MT-MGMT) 5 172.18.124.245 netmask 255.0.0.0
global (Microsoft-BE-MGMT) 1 172.18.126.252 netmask 255.255.0.0
global (Microsoft-BE-MGMT) 3 172.18.126.254 netmask 255.255.255.255
nat (Outside) 161 access-list Outside_nat_outbound outside
nat (Outside) 162 access-list Outside_nat_outbound_1 outside
nat (Outside) 108 access-list Outside_nat_outbound_2 outside
nat (Outside) 110 access-list Outside_nat_outbound_3 outside
nat (Outside) 2 10.128.156.64 255.255.255.192 outside
nat (Outside) 4 10.130.64.0 255.255.255.192 outside
nat (Outside) 3 10.130.64.64 255.255.255.192 outside
nat (Outside) 1 10.130.64.192 255.255.255.192 outside
nat (Outside) 1 10.130.66.64 255.255.255.192 outside
nat (Outside) 1 10.130.66.128 255.255.255.192 outside
nat (Outside) 5 10.130.66.192 255.255.255.192 outside
nat (Outside) 11 10.130.67.0 255.255.255.192 outside
nat (Outside) 12 10.130.68.0 255.255.255.192 outside
nat (Outside) 13 10.129.193.128 255.255.255.128 outside
nat (Outside) 3 10.130.70.0 255.255.255.0 outside
nat (Outside) 10 10.128.144.0 255.255.254.0 outside

Awesome....so it means all same type of Static NAT I can simply ignore instead of converting them...right?

Yes, so long as there is not other NAT statement that will NAT that specific address then there is no need for the NAT statement to maintain that source IP.

Interesting, I don't see outside NAT being used often.  But just to use one of the entries an example, it would be configured as follows:

global (UNIX-FE-MGMT) 1 172.18.106.254 netmask 255.255.255.255
global (Microsoft-FE-MGMT) 1 172.18.122.64 netmask 255.0.0.0
global (Microsoft-MT-MGMT) 1 172.18.124.252 netmask 255.255.0.0

nat (Outside) 1 10.130.64.192 255.255.255.192 outside
nat (Outside) 1 10.130.66.64 255.255.255.192 outside
nat (Outside) 1 10.130.66.128 255.255.255.192 outside

This would be converted to:

object network UNIX-FE-MGMT
  host 172.18.106.254

object network Microsoft-FE-MGMT
  subnet 172.18.122.64 255.0.0.0

object network Microsoft-MT-MGMT
  subnet 172.18.124.252 255.255.0.0

object-group network OUTSIDE
  network-object subnet 10.130.64.192 255.255.255.192
  network-object subnet 10.130.66.64 255.255.255.192
  network-object subnet 10.130.66.128 255.255.255.192

nat (Outside,UNIX-FE-MGMT) source dynamic Outside UNIX-FE-MGMT

nat (Outside,Microsoft-FE-MGMT) source dynamic Outside Microsoft-FE-MGMT

nat (Outside,Microsoft-MT-MGMT) source dynamic Outside Microsoft-MT-MGMT

I have used object groups with the same names as the interfaces, but those object group names you can change to suite your needs.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Thanks for your help. It really helped a lot....last thing ACS in NAT command...can you tell me conversion for the same...than I am done and ready to migrate....Thanks for your great help..

Hi one clarification on below command dont you think OUTSIDE group which you created should come after UNIX-FE-MGMT in below command

nat (Outside,UNIX-FE-MGMT) source dynamic Outside UNIX-FE-MGMT

last thing ACS in NAT command...can you tell me conversion for the same

not sure what you mean my ACS in NAT command?

Hi one clarification on below command dont you think OUTSIDE group which you created should come after UNIX-FE-MGMT in below command

nat (Outside,UNIX-FE-MGMT) source dynamic Outside UNIX-FE-MGMT

The ASA 8.2 commands you posted translate addresses from the Outside interface to UNIX-FE-MGMT interface...There are 3 forms of NAT in the new version. Manual NAT, auto NAT, and manual after-auto NAT.  The example I posted above is manual NAT which follows the following format:

nat (real_add,mapped_add) source [static | dynamic] real_source mapped_source destination [static | dynamic] mapped_dest real_dest service real_port mapped_port

So when translating just the source address and not the destination address you would have the real IP first and the mapped IP second.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Have a look at this link if you feel like doing more reading on the new NAT configuration format.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_rules.html#pgfId-1099300

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

I am talking about ACL in nat commands in ASA SM..look at below..what would be command for below in ASA SM

access-list Outside_nat_outbound extended permit ip 172.18.195.0 255.255.255.0 172.18.108.0 255.255.255.0

global (UNIX-MT-MGMT) 161 172.18.108.161 netmask 255.255.255.255
nat (Outside) 161 access-list Outside_nat_outbound outside

 

 

Hi please help me to get the NAT for below....really it would be very helpful

global (UNIX-MT-MGMT) 108 172.18.108.106 netmask 255.0.0.0
nat (Outside) 108 access-list Outside_nat_outbound_2 outside

access-list Outside_nat_outbound_2 extended permit ip object-group DM_INLINE_NETWORK_1513 172.18.108.0 255.255.255.0

object-group network DM_INLINE_NETWORK_1513
group-object MSAT-Group-VT-LAN
group-object MSAT-Group-VT-WiFi
group-object R12-MSAT-LAN-Group
group-object R12-MSAT-WiFiGroup

object-group network MSAT-Group-VT-LAN
network-object host 10.128.19.85
network-object host 10.128.19.88
network-object host 10.128.19.89
network-object host 10.128.19.90
network-object host 10.128.19.91
network-object host 10.128.19.38
network-object host 10.128.19.138
network-object host 10.128.19.50
network-object host 10.128.19.86
network-object host 10.128.18.53
network-object host 10.128.19.98
network-object host 10.128.19.95
network-object host 10.128.19.111

group-object MSAT-Group-VT-WiFi
network-object 10.130.68.0 255.255.255.192

object-group network R12-MSAT-LAN-Group
network-object host 10.129.193.177
network-object host 10.129.193.199
network-object host 10.129.193.203
network-object host 10.129.193.205
network-object host 10.129.193.211
network-object host 10.129.193.213
network-object host 10.129.193.214
network-object host 10.129.193.222
network-object host 10.129.193.224
network-object host 10.129.193.225
network-object host 10.129.193.226
network-object host 10.129.193.228
network-object host 10.129.193.229
network-object host 10.129.193.232
network-object host 10.129.193.233
network-object host 10.129.193.234

object-group network R12-MSAT-WiFiGroup
network-object host 10.129.36.147
network-object host 10.129.36.162
network-object host 10.129.36.174
network-object host 10.129.36.177
network-object host 10.129.36.218
network-object host 10.129.37.136
network-object host 10.129.37.138
network-object host 10.129.37.140
network-object host 10.129.37.152
network-object host 10.129.37.30
network-object host 10.129.37.40
network-object host 10.129.37.79
network-object host 10.129.37.80
network-object host 10.129.37.91
network-object host 10.129.37.92
network-object host 10.129.37.67
network-object host 10.129.36.131

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: