cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1777
Views
0
Helpful
4
Replies

HELP NAT upgrade ASA 8.2 to 8.3

f.mottini
Level 1
Level 1

Hi, i have a question about software upgrade ASA 8.2 to 8.3

The problem/question is about NAT

pre-8.3

object-group network DM_68
network-object 10.27.0.0 255.255.0.0
network-object 10.32.0.0 255.255.0.0
network-object 10.47.0.0 255.255.0.0
network-object 192.168.104.0 255.255.255.0
network-object host 192.168.20.1

access-list nonat extended permit ip object-group DM_68 192.168.95.0 255.255.255.128  (no nat per VPN remote net 192.168.95.0)

nat (inside) 0 access-list nonat
nat (inside) 4 192.168.95.0 255.255.255.128

global (outside) 4 174.49.8.45

8.3 configuration

i removed the access list that is still preset (correct?? i must remove this ACL ???)

no access-list nonat extended permit ip object-group DM_68 192.168.95.0 255.255.255.128


network behind the INSIDE interface
object-group network DM_68
network-object 10.27.0.0 255.255.0.0
network-object 10.32.0.0 255.255.0.0
network-object 10.47.0.0 255.255.0.0
network-object 192.168.104.0 255.255.255.0
network-object host 192.168.20.1

nat (inside,any) source static DM_68 DM_68 destination static obj-192.168.95.0 obj-192.168.95.0


removedi unidirectional at the end fo the nat line. (Correcto to remove unidirectional??)

object network obj-192.168.95.0
subnet 192.168.95.0 255.255.255.128
nat (inside,outside) dynamic 174.49.8.45

I want to know

1) is correct the conversione 8.2 to 8.3?

2) I need that if a packet from the net 192.168.104.0 that is in the DM_68 object group try to contact a server in the net 192.168.95.0 net it goes via VPN without nat,
but if one ip of the net 192.168.104.0  try to go to internet is natted with the ip 174.49.8.45. is correct the 8.3 configuration ??

Thanks a lot to all

4 Replies 4

Kureli Sankar
Cisco Employee
Cisco Employee

That looks correct.

Yes, you do not need the no-nat acl.

Yes, you need to remove the unidirectional key word as well.

Refer this one:https://supportforums.cisco.com/docs/DOC-12569

-KS

thanks a lot ,i have another duobt,

this statement

nat (inside,any) source static DM_68 DM_68 destination static obj-192.168.95.0 obj-192.168.95.0

is only for VPN, so i can refine this statement changing any with outside

nat (inside,any) source static DM_68 DM_68 destination static obj-192.168.95.0 obj-192.168.95.0

correct?

but there is not a problem or  with this other statement in the obj-192.168.95.0 ??

object network obj-192.168.95.0
subnet 192.168.95.0 255.255.255.128
nat (inside,outside) dynamic 174.49.8.45

Thanks a lot , thanks vary much

Yes, you absolutely can. More specific the better. Plus that destination network only lives off the outside.

-KS

Thanks a lot next week i will go to the customer to deliver the upgrade..i hope that all works

thanks a lot 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: