Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
15
Helpful
7
Replies

Help with NAT going from 5520 8.2 to new 5512 9.1

Go to solution
burleyman
Level 8
Level 8

‎07-29-2014 12:02 PM - edited ‎03-11-2019 09:33 PM

I have a bunch is NAT rules I have to convert for ASA 5520 version 8.2(5) upgrading to ASA5512 version 9.1(1)

I have taken a few lines of config and put them here. If someone can show me the before and after that would help me greatly. I will use that to convert all the others and also make documentation for me going forward. I have read some good papers on this but I need to make sure I get this right.

Below are some of the many NAT configurations on the current ASA 5520 version 8.2(5) NAT configs I am looking to convert.

 

Thanks,

Mike

*******************************************************

global (external) 101 interface
global (external) 1 172.20.1.1 netmask 255.0.0.0

nat (internal) 0 access-list internal_nat0_outbound
nat (internal) 101 access-list internal_nat_outbound
nat (internal) 1 access-list internal_nat_outbound_1
nat (internal) 101 0.0.0.0 0.0.0.0

access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.10.11.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.10.0 255.255.255.0


access-list internal_nat_outbound extended permit tcp host 10.10.0.150 range 3230 3243 any range 3230 3243
access-list internal_nat_outbound extended permit udp host 10.10.0.150 range 3230 3285 any range 3230 3285
 
access-list internal_nat_outbound_1 extended permit ip 10.10.0.0 255.255.0.0 172.30.52.112 255.255.255.240

 

static (internal,external) tcp interface pptp 10.10.0.50 pptp netmask 255.255.255.255
static (internal,external) udp interface 1723 10.10.0.50 1723 netmask 255.255.255.255
static (internal,external) udp interface 1812 10.10.0.50 1812 netmask 255.255.255.255
static (internal,external) udp interface 1813 10.10.0.50 1813 netmask 255.255.255.255
static (internal,external) tcp interface www 10.10.0.100 www netmask 255.255.255.255

static (internal,internal) 10.20.0.0 10.20.0.0 netmask 255.255.255.0
static (internal,internal) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (internal,internal) 192.168.11.0 192.168.11.0 netmask 255.255.255.0
static (internal,external) 172.20.1.2  access-list internal_nat_static
static (internal,external) 172.20.1.3  access-list internal_nat_static_1

access-list internal_nat_static extended permit ip host 10.10.0.48 172.30.52.112 255.255.255.240
access-list internal_nat_static_1 extended permit ip host 10.10.0.49 172.30.52.112 255.255.255.240


access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq ldap
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq smtp
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq imap4
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq pop3
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq https
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq www
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq pptp
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq h323
access-list NATed_Ports extended permit tcp any host 50.0.0.1 range 3230 3243
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq citrix-ica
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq 1723
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq 1812
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq 1813
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq radius
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq radius-acct
access-list NATed_Ports extended permit udp any host 50.0.0.1 range 3230 3285
access-list NATed_Ports extended permit gre any host 50.0.0.1
access-list NATed_Ports extended permit ah any host 50.0.0.1
access-list NATed_Ports extended deny tcp any any eq ftp-data
access-list NATed_Ports extended deny tcp any any eq ftp
access-list NATed_Ports extended deny tcp any any eq smtp
access-list NATed_Ports extended deny tcp any any eq 3389

access-group NATed_Ports in interface external

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-30-2014 12:37 AM

Hi Mike,

 

Most of the configurations seem pretty straight forward though I have doubts about some of the configurations. Mainly if they are needed at all. There is naturally also a little doubt how the different NAT configurations should be ordered since I can't see the whole current configuration.

 

Here are the converted configurations that I wrote

 

ORIGINAL

 

global (external) 101 interface


nat (internal) 101 0.0.0.0 0.0.0.0
nat (internal) 101 access-list internal_nat_outbound

access-list internal_nat_outbound extended permit tcp host 10.10.0.150 range 3230 3243 any range 3230 3243
access-list internal_nat_outbound extended permit udp host 10.10.0.150 range 3230 3285 any range 3230 3285

 

 

CONVERTED

 

object service TCP-3230-3243
 service tcp source range 3230 3243 destination range 3230 3243

object service UDP-3230-3285
 service udp source range 3230 3285 destination range 3230 3285

object network HOST-10.10.0.150
 host 10.10.0.150

nat (internal,external) after-auto source dynamic HOST-10.10.0.150 interface service TCP-3230-3243 TCP-3230-3243
nat (internal,external) after-auto source dynamic HOST-10.10.0.150 interface service UDP-3230-3285 UDP-3230-3285
nat (internal,external) after-auto source dynamic any interface

 

Here my doubt is if the configuration mentioning the ports is really required. You already have the interface PAT which accepts "any" source address and the port using configuration is already PATed to the same interface IP address.

 

ORIGINAL

global (external) 1 172.20.1.1 netmask 255.0.0.0

nat (internal) 1 access-list internal_nat_outbound_1

access-list internal_nat_outbound_1 extended permit ip 10.10.0.0 255.255.0.0 172.30.52.112 255.255.255.240

 

CONVERTED

 

object network NAT-10.10.0.0-16
 subnet 10.10.0.0 255.255.0.0

object network NET-172.30.52.112-28
 subnet 172.30.52.112 255.255.255.240

object network PAT-172.20.1.1
 host 172.20.1.1

nat (internal,external) source dynamic NAT-10.10.0.0-16 PAT-172.20.1.1 destination static NET-172.30.52.112-28 NET-172.30.52.112-28

 

This configuration seemed that it might be a Dynamic Policy PAT configuration related to some L2L VPN connection perhaps. Otherwise there would not be much sense PATing towards the "external" interface. Unless ofcourse the "external" interface is actually connected to some private network?

 

ORIGINAL

 

nat (internal) 0 access-list internal_nat0_outbound

access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.10.11.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.10.0 255.255.255.0

 

CONVERTED

 

object network NAT-10.10.0.0-16
 subnet 10.10.0.0 255.255.0.0

object network NAT-10.10.11.0-24
 subnet 10.10.11.0 255.255.255.0

object network NAT-192.168.2.0-24
 subnet 192.168.2.0 255.255.255.0

object network NAT-192.168.10.0-24
 subnet 192.168.10.0 255.255.255.0


nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-10.10.11.0-24 NAT-10.10.11.0-24
nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-192.168.2.0-24 NAT-192.168.2.0-24
nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-192.168.10.0-24 NAT-192.168.10.0-24

 

This seems to be a very simply NAT0 configuration so I used Section 1 Manual NAT as there should be high in priority in the NAT configurations so this NAT0 is matched before any of the Static NAT or other configurations you have.

 

 

ORIGINAL

 

static (internal,external) tcp interface pptp 10.10.0.50 pptp netmask 255.255.255.255
static (internal,external) udp interface 1723 10.10.0.50 1723 netmask 255.255.255.255
static (internal,external) udp interface 1812 10.10.0.50 1812 netmask 255.255.255.255
static (internal,external) udp interface 1813 10.10.0.50 1813 netmask 255.255.255.255
static (internal,external) tcp interface www 10.10.0.100 www netmask 255.255.255.255

 

CONVERTED

 

object network HOST-10.10.0.50-PPTP
 host 10.10.0.50
 nat (internal,external) static interface service tcp pptp pptp

object network HOST-10.10.0.50-UDP1723
 host 10.10.0.50
 nat (internal,external) static interface service udp 1723 1723

object network HOST-10.10.0.50-UDP1812
 host 10.10.0.50
 nat (internal,external) static interface service udp 1812 1812

object network HOST-10.10.0.50-UDP1813
 host 10.10.0.50
 nat (internal,external) static interface service udp 1813 1813

object network HOST-10.10.0.100-WWW
 host 10.10.0.100
 nat (internal,external) static interface service tcp www www

 

These seem to be basic Static PAT configurations so you simply create a separate "object" for each forwarded port. These are Auto NAT configurations so the NAT0 and Policy type NAT configurations are still matched before these.

 

 

ORIGINAL

 

static (internal,external) 172.20.1.2  access-list internal_nat_static
static (internal,external) 172.20.1.3  access-list internal_nat_static_1

access-list internal_nat_static extended permit ip host 10.10.0.48 172.30.52.112 255.255.255.240
access-list internal_nat_static_1 extended permit ip host 10.10.0.49 172.30.52.112 255.255.255.240

 

CONVERTED

 

object network HOST-10.10.0.48
 host 10.10.0.48

object network HOST-10.10.0.49
 host 10.10.0.49

object network HOST-172.20.1.2
 host 172.20.1.2

object network HOST-172.20.1.3
 host 172.20.1.3

object network NET-172.30.52.112-28
 subnet 172.30.52.112 255.255.255.240


nat (internal,external) source static HOST-10.10.0.48 HOST-172.20.1.2 destination static NET-172.30.52.112-28 NET-172.30.52.112-28
nat (internal,external) source static HOST-10.10.0.49 HOST-172.20.1.3 destination static NET-172.30.52.112-28 NET-172.30.52.112-28

 

These seem to be related to the Dynamic Policy PAT mentioned earlier (based on the mapped address used). I guess the Dynamic Policy PAT is meant to catch the separate hosts while these Static Policy NAT are meant for hosts that either need their own NAT IP address or they need to be contacted from a remote host behind "external" interface.

 

 

ORIGINAL

 

static (internal,internal) 10.20.0.0 10.20.0.0 netmask 255.255.255.0
static (internal,internal) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (internal,internal) 192.168.11.0 192.168.11.0 netmask 255.255.255.0

 

 

CONVERTED

 

The above ORIGINAL configurations seems like Static Identity NAT for some internal networks but the translation is performed towards the same interface "internal". Though naturally the NAT in this case is not performed.

 

Typically in the new NAT configuration forma you rarely need to use Identity NAT at all when in the older (8.2 and below) software levels it was required as otherwise traffic might match a Dynamic PAT/NAT configuration and be dropped between local networks firewall interfaces.

 

Considering the mentioned NAT configurations I can't see a situation where you would need a replacing configuration for these in the new software.

 

 

 

 

Also I would like to mention with regards to all the above listed NAT configurations that I would suggest using a different naming policy for the "object" configurations unless ofcourse you personally prefer to have a reference to the subnet/host in the "object" name. I personally tend to name PAT address and NAT Pool objects by using the IP address in the "object" name. Also with Static NAT/PAT configurations I tend to mention the NAT IP address in the "object" name. In all other configurations I usually tend to name the objects of hosts/servers/subnets based on their role/location/etc

 

 

I will post the above new "nat" configurations in another reply to give a better picture how I would position them in the "nat" configurations (as you can order Dynamic PAT , Dynamic Policy PAT, Static Policy NAT and NAT0 configurations)

 

Hope this helps :)

 

- Jouni

View solution in original post

0 Helpful
7 Replies 7

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎07-29-2014 10:22 PM

I have used this in the past and have helped me a lot:

http://www.tunnelsup.com/nat-converter/

Hope this helps!

 

Thank you for rating helpful posts!

Go to solution
burleyman
Level 8
Level 8
In response to nspasov

‎07-30-2014 04:56 AM

Thank you Jouni and Neno, I will digest the above and see if my brain can take it.

 

Thanks for your help, I will keep you posted.

 

Mike

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-30-2014 12:37 AM

Hi Mike,

 

Most of the configurations seem pretty straight forward though I have doubts about some of the configurations. Mainly if they are needed at all. There is naturally also a little doubt how the different NAT configurations should be ordered since I can't see the whole current configuration.

 

Here are the converted configurations that I wrote

 

ORIGINAL

 

global (external) 101 interface


nat (internal) 101 0.0.0.0 0.0.0.0
nat (internal) 101 access-list internal_nat_outbound

access-list internal_nat_outbound extended permit tcp host 10.10.0.150 range 3230 3243 any range 3230 3243
access-list internal_nat_outbound extended permit udp host 10.10.0.150 range 3230 3285 any range 3230 3285

 

 

CONVERTED

 

object service TCP-3230-3243
 service tcp source range 3230 3243 destination range 3230 3243

object service UDP-3230-3285
 service udp source range 3230 3285 destination range 3230 3285

object network HOST-10.10.0.150
 host 10.10.0.150

nat (internal,external) after-auto source dynamic HOST-10.10.0.150 interface service TCP-3230-3243 TCP-3230-3243
nat (internal,external) after-auto source dynamic HOST-10.10.0.150 interface service UDP-3230-3285 UDP-3230-3285
nat (internal,external) after-auto source dynamic any interface

 

Here my doubt is if the configuration mentioning the ports is really required. You already have the interface PAT which accepts "any" source address and the port using configuration is already PATed to the same interface IP address.

 

ORIGINAL

global (external) 1 172.20.1.1 netmask 255.0.0.0

nat (internal) 1 access-list internal_nat_outbound_1

access-list internal_nat_outbound_1 extended permit ip 10.10.0.0 255.255.0.0 172.30.52.112 255.255.255.240

 

CONVERTED

 

object network NAT-10.10.0.0-16
 subnet 10.10.0.0 255.255.0.0

object network NET-172.30.52.112-28
 subnet 172.30.52.112 255.255.255.240

object network PAT-172.20.1.1
 host 172.20.1.1

nat (internal,external) source dynamic NAT-10.10.0.0-16 PAT-172.20.1.1 destination static NET-172.30.52.112-28 NET-172.30.52.112-28

 

This configuration seemed that it might be a Dynamic Policy PAT configuration related to some L2L VPN connection perhaps. Otherwise there would not be much sense PATing towards the "external" interface. Unless ofcourse the "external" interface is actually connected to some private network?

 

ORIGINAL

 

nat (internal) 0 access-list internal_nat0_outbound

access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.10.11.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.10.0 255.255.255.0

 

CONVERTED

 

object network NAT-10.10.0.0-16
 subnet 10.10.0.0 255.255.0.0

object network NAT-10.10.11.0-24
 subnet 10.10.11.0 255.255.255.0

object network NAT-192.168.2.0-24
 subnet 192.168.2.0 255.255.255.0

object network NAT-192.168.10.0-24
 subnet 192.168.10.0 255.255.255.0


nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-10.10.11.0-24 NAT-10.10.11.0-24
nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-192.168.2.0-24 NAT-192.168.2.0-24
nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-192.168.10.0-24 NAT-192.168.10.0-24

 

This seems to be a very simply NAT0 configuration so I used Section 1 Manual NAT as there should be high in priority in the NAT configurations so this NAT0 is matched before any of the Static NAT or other configurations you have.

 

 

ORIGINAL

 

static (internal,external) tcp interface pptp 10.10.0.50 pptp netmask 255.255.255.255
static (internal,external) udp interface 1723 10.10.0.50 1723 netmask 255.255.255.255
static (internal,external) udp interface 1812 10.10.0.50 1812 netmask 255.255.255.255
static (internal,external) udp interface 1813 10.10.0.50 1813 netmask 255.255.255.255
static (internal,external) tcp interface www 10.10.0.100 www netmask 255.255.255.255

 

CONVERTED

 

object network HOST-10.10.0.50-PPTP
 host 10.10.0.50
 nat (internal,external) static interface service tcp pptp pptp

object network HOST-10.10.0.50-UDP1723
 host 10.10.0.50
 nat (internal,external) static interface service udp 1723 1723

object network HOST-10.10.0.50-UDP1812
 host 10.10.0.50
 nat (internal,external) static interface service udp 1812 1812

object network HOST-10.10.0.50-UDP1813
 host 10.10.0.50
 nat (internal,external) static interface service udp 1813 1813

object network HOST-10.10.0.100-WWW
 host 10.10.0.100
 nat (internal,external) static interface service tcp www www

 

These seem to be basic Static PAT configurations so you simply create a separate "object" for each forwarded port. These are Auto NAT configurations so the NAT0 and Policy type NAT configurations are still matched before these.

 

 

ORIGINAL

 

static (internal,external) 172.20.1.2  access-list internal_nat_static
static (internal,external) 172.20.1.3  access-list internal_nat_static_1

access-list internal_nat_static extended permit ip host 10.10.0.48 172.30.52.112 255.255.255.240
access-list internal_nat_static_1 extended permit ip host 10.10.0.49 172.30.52.112 255.255.255.240

 

CONVERTED

 

object network HOST-10.10.0.48
 host 10.10.0.48

object network HOST-10.10.0.49
 host 10.10.0.49

object network HOST-172.20.1.2
 host 172.20.1.2

object network HOST-172.20.1.3
 host 172.20.1.3

object network NET-172.30.52.112-28
 subnet 172.30.52.112 255.255.255.240


nat (internal,external) source static HOST-10.10.0.48 HOST-172.20.1.2 destination static NET-172.30.52.112-28 NET-172.30.52.112-28
nat (internal,external) source static HOST-10.10.0.49 HOST-172.20.1.3 destination static NET-172.30.52.112-28 NET-172.30.52.112-28

 

These seem to be related to the Dynamic Policy PAT mentioned earlier (based on the mapped address used). I guess the Dynamic Policy PAT is meant to catch the separate hosts while these Static Policy NAT are meant for hosts that either need their own NAT IP address or they need to be contacted from a remote host behind "external" interface.

 

 

ORIGINAL

 

static (internal,internal) 10.20.0.0 10.20.0.0 netmask 255.255.255.0
static (internal,internal) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (internal,internal) 192.168.11.0 192.168.11.0 netmask 255.255.255.0

 

 

CONVERTED

 

The above ORIGINAL configurations seems like Static Identity NAT for some internal networks but the translation is performed towards the same interface "internal". Though naturally the NAT in this case is not performed.

 

Typically in the new NAT configuration forma you rarely need to use Identity NAT at all when in the older (8.2 and below) software levels it was required as otherwise traffic might match a Dynamic PAT/NAT configuration and be dropped between local networks firewall interfaces.

 

Considering the mentioned NAT configurations I can't see a situation where you would need a replacing configuration for these in the new software.

 

 

 

 

Also I would like to mention with regards to all the above listed NAT configurations that I would suggest using a different naming policy for the "object" configurations unless ofcourse you personally prefer to have a reference to the subnet/host in the "object" name. I personally tend to name PAT address and NAT Pool objects by using the IP address in the "object" name. Also with Static NAT/PAT configurations I tend to mention the NAT IP address in the "object" name. In all other configurations I usually tend to name the objects of hosts/servers/subnets based on their role/location/etc

 

 

I will post the above new "nat" configurations in another reply to give a better picture how I would position them in the "nat" configurations (as you can order Dynamic PAT , Dynamic Policy PAT, Static Policy NAT and NAT0 configurations)

 

Hope this helps :)

 

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎07-30-2014 12:48 AM

Hi,

 

Here are the configurations in the order I would put them in the CLI format configuration. Notice that the top and bottom section support inserting them with a line number to the position you want if you already have existing configurations. This line number is insterted after interface part of the configuration. Adding a configuration to the same line as the existing "nat" configurations acts the same as with ACLs. Anything equal or below the line number inserted gets moved one line down.

 

nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-10.10.11.0-24 NAT-10.10.11.0-24
nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-192.168.2.0-24 NAT-192.168.2.0-24
nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-192.168.10.0-24 NAT-192.168.10.0-24
nat (internal,external) source static HOST-10.10.0.48 HOST-172.20.1.2 destination static NET-172.30.52.112-28 NET-172.30.52.112-28
nat (internal,external) source static HOST-10.10.0.49 HOST-172.20.1.3 destination static NET-172.30.52.112-28 NET-172.30.52.112-28
nat (internal,external) source dynamic NAT-10.10.0.0-16 PAT-172.20.1.1 destination static NET-172.30.52.112-28 NET-172.30.52.112-28

 


object network HOST-10.10.0.50-PPTP
 host 10.10.0.50
 nat (internal,external) static interface service tcp pptp pptp

object network HOST-10.10.0.50-UDP1723
 host 10.10.0.50
 nat (internal,external) static interface service udp 1723 1723

object network HOST-10.10.0.50-UDP1812
 host 10.10.0.50
 nat (internal,external) static interface service udp 1812 1812

object network HOST-10.10.0.50-UDP1813
 host 10.10.0.50
 nat (internal,external) static interface service udp 1813 1813

object network HOST-10.10.0.100-WWW
 host 10.10.0.100
 nat (internal,external) static interface service tcp www www

 

nat (internal,external) after-auto source dynamic HOST-10.10.0.150 interface service TCP-3230-3243 TCP-3230-3243
nat (internal,external) after-auto source dynamic HOST-10.10.0.150 interface service UDP-3230-3285 UDP-3230-3285
nat (internal,external) after-auto source dynamic any interface

 

 

The idea in short is basically this

  • NAT0 configuration first in Section 1 so that it matches first before any other configuration.
  • Static Policy NAT before the Dynamic Policy PAT in Section 1 so that it doesnt override these Static Policy NAT configurations
  • Dynamic Policy PAT configuration the last in Section 1 because of the above mentioned reason
  • Static PAT (Port Forward) configurations in Section 2 where they still not override the NAT0 and Policy type NAT configurations but will override the basic Dynamic PAT configurations below
  • Dynamic PAT (the one mentioning ports is Dynamic Policy PAT though) configurations in Section 3 so that they don't override any other NAT configurations but still provide that "fallback" translation for host that dont have anything else configured.

 

Again I have to say that I doubt you need the Dynamic Policy PAT mentioning the ports as the same traffic should match the last Dynamic PAT configuration that does the same translation.

 

Will now check the original post if I messed something up writing that :P

 

Hope this helps :)

 

Please do remember to mark a reply as the correct answer if it answered your question.

 

Feel free to ask more though

 

- Jouni

Go to solution
burleyman
Level 8
Level 8
In response to Jouni Forss

‎07-30-2014 05:33 AM

Jouni,

Thanks again for your help and I think I am getting this. Here is the NAT config in the order that it currently is in the ASA. I omitted the other config and only left in the NAT stuff. Please let me know if that changes anything?

Also what should I correct or take out and why?

Here is the NAT config....

 

Outside interface is 50.0.0.1
Inside interface is 10.10.0.1
There are many site to site VPN connections - 192.168.X.X

____Config Omitted________

access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.10.11.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.30.0.0 255.255.0.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.40.0.0 255.255.0.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.11.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.31.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.32.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.33.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.34.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.35.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.70.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.71.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.72.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.73.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.74.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.75.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.76.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.77.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.78.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.79.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.80.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.81.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.82.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.83.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.84.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.85.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.86.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.87.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.88.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.89.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.90.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.91.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.92.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.93.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.94.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.95.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.97.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.98.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.99.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.101.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.110.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.130.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.132.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.134.0 255.255.255.0

______ Config Omitted ____________

access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq ldap
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq smtp
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq imap4
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq pop3
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq https
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq www
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq pptp
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq h323
access-list NATed_Ports extended permit tcp any host 50.0.0.1 range 3230 3243
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq citrix-ica
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq 1723
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq 1812
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq 1813
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq radius
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq radius-acct
access-list NATed_Ports extended permit udp any host 50.0.0.1 range 3230 3285
access-list NATed_Ports extended permit gre any host 50.0.0.1
access-list NATed_Ports extended permit ah any host 50.0.0.1
access-list NATed_Ports extended deny tcp any any eq ftp-data
access-list NATed_Ports extended deny tcp any any eq ftp
access-list NATed_Ports extended deny tcp any any eq smtp
access-list NATed_Ports extended deny tcp any any eq 3389

______ Config Omitted ____________

access-list internal_nat_outbound extended permit tcp host 10.10.0.150 range 3230 3243 any range 3230 3243
access-list internal_nat_outbound extended permit udp host 10.10.0.150 range 3230 3285 any range 3230 3285

______ Config Omitted ____________

access-list internal_nat_outbound_1 extended permit ip 10.10.0.0 255.255.0.0 172.30.52.112 255.255.255.240
access-list internal_nat_static extended permit ip host 10.10.0.48 172.30.52.112 255.255.255.240
access-list internal_nat_static_1 extended permit ip host 10.10.0.49 172.30.52.112 255.255.255.240

______ Config Omitted ____________

global (external) 101 interface
global (external) 1 172.20.1.1 netmask 255.0.0.0
nat (internal) 0 access-list internal_nat0_outbound
nat (internal) 101 access-list internal_nat_outbound
nat (internal) 1 access-list internal_nat_outbound_1
nat (internal) 101 0.0.0.0 0.0.0.0
static (internal,external) tcp interface pptp 10.10.0.50 pptp netmask 255.255.255.255
static (internal,external) udp interface 1723 10.10.0.50 1723 netmask 255.255.255.255
static (internal,external) udp interface 1812 10.10.0.50 1812 netmask 255.255.255.255
static (internal,external) udp interface 1813 10.10.0.50 1813 netmask 255.255.255.255
static (internal,external) tcp interface www 10.10.0.100 www netmask 255.255.255.255
static (internal,external) tcp interface imap4 10.10.0.100 imap4 netmask 255.255.255.255
static (internal,external) tcp interface ldap 10.10.0.100 ldap netmask 255.255.255.255
static (internal,external) tcp interface pop3 10.10.0.100 pop3 netmask 255.255.255.255
static (internal,external) tcp interface https 10.10.0.100 https netmask 255.255.255.255
static (internal,external) tcp interface smtp 10.10.0.48 smtp netmask 255.255.255.255
static (internal,external) tcp interface h323 10.10.0.150 h323 netmask 255.255.255.255
static (internal,external) tcp interface ftp 10.10.2.64 ftp netmask 255.255.255.255
static (internal,external) tcp interface ftp-data 10.10.2.64 ftp-data netmask 255.255.255.255
static (internal,internal) 10.20.0.0 10.20.0.0 netmask 255.255.255.0
static (internal,internal) 10.30.0.0 10.30.0.0 netmask 255.255.0.0
static (internal,internal) 10.40.0.0 10.40.0.0 netmask 255.255.0.0
static (internal,internal) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (internal,internal) 192.168.11.0 192.168.11.0 netmask 255.255.255.0
static (internal,internal) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (internal,internal) 192.168.31.0 192.168.31.0 netmask 255.255.255.0
static (internal,internal) 192.168.32.0 192.168.32.0 netmask 255.255.255.0
static (internal,internal) 192.168.33.0 192.168.33.0 netmask 255.255.255.0
static (internal,internal) 192.168.34.0 192.168.34.0 netmask 255.255.255.0
static (internal,internal) 192.168.35.0 192.168.35.0 netmask 255.255.255.0
static (internal,internal) 192.168.110.0 192.168.110.0 netmask 255.255.255.0
static (internal,internal) 192.168.130.0 192.168.130.0 netmask 255.255.255.0
static (internal,internal) 192.168.132.0 192.168.132.0 netmask 255.255.255.0
static (internal,internal) 192.168.134.0 192.168.134.0 netmask 255.255.255.0
static (internal,external) 172.20.1.2  access-list internal_nat_static
static (internal,external) 172.20.1.3  access-list internal_nat_static_1
access-group NATed_Ports in interface external
access-group internal_access_in in interface internal

______ Config Omitted ____________

 

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to burleyman

‎07-30-2014 06:27 AM

Hi,

 

So this is the full NAT configuration? If so I guess there are not really many things that would need to be added compared to what I have already listed. Except ofcourse follow the same logic with the Static PAT configurations etc.

 

Though you would be able to condense your big NAT0 configuration to a lot smaller configuration in the new NAT configuration format. We would not be doing a "nat" configuration for each ACL line in the old configuration but we could rather group all the destination subnets and configure them all in a single "nat" command

 

Something like this

object network LOCAL-SITE-LAN
 subnet 10.10.0.0 255.255.0.0

 

object-group network REMOTE-SITES
 network-object 10.10.11.0 255.255.255.0
 network-object 10.30.0.0 255.255.0.0
 network-object 10.20.0.0 255.255.255.0
 network-object 10.40.0.0 255.255.0.0
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.10.0 255.255.255.0
 network-object 192.168.11.0 255.255.255.0
 network-object 192.168.30.0 255.255.255.0
 network-object 192.168.31.0 255.255.255.0
 network-object 192.168.32.0 255.255.255.0
 network-object 192.168.33.0 255.255.255.0
 network-object 192.168.34.0 255.255.255.0
 network-object 192.168.35.0 255.255.255.0
 network-object 192.168.70.0 255.255.255.0
 network-object 192.168.71.0 255.255.255.0
 network-object 192.168.72.0 255.255.255.0
 network-object 192.168.73.0 255.255.255.0
 network-object 192.168.74.0 255.255.255.0
 network-object 192.168.75.0 255.255.255.0
 network-object 192.168.76.0 255.255.255.0
 network-object 192.168.77.0 255.255.255.0
 network-object 192.168.78.0 255.255.255.0
 network-object 192.168.79.0 255.255.255.0
 network-object 192.168.80.0 255.255.255.0
 network-object 192.168.81.0 255.255.255.0
 network-object 192.168.82.0 255.255.255.0
 network-object 192.168.83.0 255.255.255.0
 network-object 192.168.84.0 255.255.255.0
 network-object 192.168.85.0 255.255.255.0
 network-object 192.168.86.0 255.255.255.0
 network-object 192.168.87.0 255.255.255.0
 network-object 192.168.88.0 255.255.255.0
 network-object 192.168.89.0 255.255.255.0
 network-object 192.168.90.0 255.255.255.0
 network-object 192.168.91.0 255.255.255.0
 network-object 192.168.92.0 255.255.255.0
 network-object 192.168.93.0 255.255.255.0
 network-object 192.168.94.0 255.255.255.0
 network-object 192.168.95.0 255.255.255.0
 network-object 192.168.96.0 255.255.255.0
 network-object 192.168.97.0 255.255.255.0
 network-object 192.168.98.0 255.255.255.0
 network-object 192.168.99.0 255.255.255.0
 network-object 192.168.101.0 255.255.255.0
 network-object 192.168.110.0 255.255.255.0
 network-object 192.168.130.0 255.255.255.0
 network-object 192.168.132.0 255.255.255.0
 network-object 192.168.134.0 255.255.255.0
 

nat (internal,external) source static LOCAL-SITE-LAN LOCAL-SITE-LAN destination static REMOTE-SITES REMOTE-SITES

 

With the above if you had new Remote Sites you would only need to add the remote network to the mentioned "object-group" and naturally to the Crypto ACL used in the actual L2L VPN configuration. Naturally if you needed a new source network for the L2L VPN then I would suggest perhaps creating a new "nat" configuration or creating an "object-group" for the source networks (as "object network" can only hold one subnet)

 

Also regarding your external ACL remember that with the new software you need to allow the traffic towards the real/local IP address rather than the public IP address used in the NAT.

 

I noticed that you have allowed some traffic towards the external IP address for which there is no real NAT configuration (or there cant be) in these situations I guess the only solution is to use the destination address of "any". I am referring to the rules for "gre" and "ah" and the port range "3230 3285" atleast.

 

I am not sure if the external ACL is needed for the "gre" and "ah". Who knows, it might be so. Though if this traffic was destined to a single host on the internal network then you would have to have a Static NAT configuration on the firewall (which I dont see) as Static PAT cant pass GRE traffic for example or rather you cant configure a Static PAT for GRE.

 

Hope this helps :)

 

- Jouni

Go to solution
burleyman
Level 8
Level 8
In response to Jouni Forss

‎07-30-2014 06:49 AM

Thanks again.... You are such a great help.

I am now going to absorb all this and put it all together and see what happens.

Stay tuned for more questions...... smiley

 

Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card