Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

HELP NAT upgrade ASA 8.2 to 8.3

Hi, i have a question about software upgrade ASA 8.2 to 8.3

The problem/question is about NAT

pre-8.3

object-group network DM_68
network-object 10.27.0.0 255.255.0.0
network-object 10.32.0.0 255.255.0.0
network-object 10.47.0.0 255.255.0.0
network-object 192.168.104.0 255.255.255.0
network-object host 192.168.20.1

access-list nonat extended permit ip object-group DM_68 192.168.95.0 255.255.255.128  (no nat per VPN remote net 192.168.95.0)

nat (inside) 0 access-list nonat
nat (inside) 4 192.168.95.0 255.255.255.128

global (outside) 4 174.49.8.45

8.3 configuration

i removed the access list that is still preset (correct?? i must remove this ACL ???)

no access-list nonat extended permit ip object-group DM_68 192.168.95.0 255.255.255.128


network behind the INSIDE interface
object-group network DM_68
network-object 10.27.0.0 255.255.0.0
network-object 10.32.0.0 255.255.0.0
network-object 10.47.0.0 255.255.0.0
network-object 192.168.104.0 255.255.255.0
network-object host 192.168.20.1

nat (inside,any) source static DM_68 DM_68 destination static obj-192.168.95.0 obj-192.168.95.0


removedi unidirectional at the end fo the nat line. (Correcto to remove unidirectional??)

object network obj-192.168.95.0
subnet 192.168.95.0 255.255.255.128
nat (inside,outside) dynamic 174.49.8.45

I want to know

1) is correct the conversione 8.2 to 8.3?

2) I need that if a packet from the net 192.168.104.0 that is in the DM_68 object group try to contact a server in the net 192.168.95.0 net it goes via VPN without nat,
but if one ip of the net 192.168.104.0  try to go to internet is natted with the ip 174.49.8.45. is correct the 8.3 configuration ??

Thanks a lot to all

Everyone's tags (4)
4 REPLIES
Cisco Employee

Re: HELP NAT upgrade ASA 8.2 to 8.3

That looks correct.

Yes, you do not need the no-nat acl.

Yes, you need to remove the unidirectional key word as well.

Refer this one:https://supportforums.cisco.com/docs/DOC-12569

-KS

New Member

Re: HELP NAT upgrade ASA 8.2 to 8.3

thanks a lot ,i have another duobt,

this statement

nat (inside,any) source static DM_68 DM_68 destination static obj-192.168.95.0 obj-192.168.95.0

is only for VPN, so i can refine this statement changing any with outside

nat (inside,any) source static DM_68 DM_68 destination static obj-192.168.95.0 obj-192.168.95.0

correct?

but there is not a problem or  with this other statement in the obj-192.168.95.0 ??

object network obj-192.168.95.0
subnet 192.168.95.0 255.255.255.128
nat (inside,outside) dynamic 174.49.8.45

Thanks a lot , thanks vary much

Cisco Employee

Re: HELP NAT upgrade ASA 8.2 to 8.3

Yes, you absolutely can. More specific the better. Plus that destination network only lives off the outside.

-KS

New Member

Re: HELP NAT upgrade ASA 8.2 to 8.3

Thanks a lot next week i will go to the customer to deliver the upgrade..i hope that all works

thanks a lot 

1519
Views
0
Helpful
4
Replies