07-29-2014 12:02 PM - edited 03-11-2019 09:33 PM
I have a bunch is NAT rules I have to convert for ASA 5520 version 8.2(5) upgrading to ASA5512 version 9.1(1)
I have taken a few lines of config and put them here. If someone can show me the before and after that would help me greatly. I will use that to convert all the others and also make documentation for me going forward. I have read some good papers on this but I need to make sure I get this right.
Below are some of the many NAT configurations on the current ASA 5520 version 8.2(5) NAT configs I am looking to convert.
Thanks,
Mike
*******************************************************
global (external) 101 interface
global (external) 1 172.20.1.1 netmask 255.0.0.0
nat (internal) 0 access-list internal_nat0_outbound
nat (internal) 101 access-list internal_nat_outbound
nat (internal) 1 access-list internal_nat_outbound_1
nat (internal) 101 0.0.0.0 0.0.0.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.10.11.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list internal_nat_outbound extended permit tcp host 10.10.0.150 range 3230 3243 any range 3230 3243
access-list internal_nat_outbound extended permit udp host 10.10.0.150 range 3230 3285 any range 3230 3285
access-list internal_nat_outbound_1 extended permit ip 10.10.0.0 255.255.0.0 172.30.52.112 255.255.255.240
static (internal,external) tcp interface pptp 10.10.0.50 pptp netmask 255.255.255.255
static (internal,external) udp interface 1723 10.10.0.50 1723 netmask 255.255.255.255
static (internal,external) udp interface 1812 10.10.0.50 1812 netmask 255.255.255.255
static (internal,external) udp interface 1813 10.10.0.50 1813 netmask 255.255.255.255
static (internal,external) tcp interface www 10.10.0.100 www netmask 255.255.255.255
static (internal,internal) 10.20.0.0 10.20.0.0 netmask 255.255.255.0
static (internal,internal) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (internal,internal) 192.168.11.0 192.168.11.0 netmask 255.255.255.0
static (internal,external) 172.20.1.2 access-list internal_nat_static
static (internal,external) 172.20.1.3 access-list internal_nat_static_1
access-list internal_nat_static extended permit ip host 10.10.0.48 172.30.52.112 255.255.255.240
access-list internal_nat_static_1 extended permit ip host 10.10.0.49 172.30.52.112 255.255.255.240
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq ldap
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq smtp
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq imap4
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq pop3
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq https
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq www
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq pptp
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq h323
access-list NATed_Ports extended permit tcp any host 50.0.0.1 range 3230 3243
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq citrix-ica
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq 1723
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq 1812
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq 1813
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq radius
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq radius-acct
access-list NATed_Ports extended permit udp any host 50.0.0.1 range 3230 3285
access-list NATed_Ports extended permit gre any host 50.0.0.1
access-list NATed_Ports extended permit ah any host 50.0.0.1
access-list NATed_Ports extended deny tcp any any eq ftp-data
access-list NATed_Ports extended deny tcp any any eq ftp
access-list NATed_Ports extended deny tcp any any eq smtp
access-list NATed_Ports extended deny tcp any any eq 3389
access-group NATed_Ports in interface external
Solved! Go to Solution.
07-30-2014 12:37 AM
Hi Mike,
Most of the configurations seem pretty straight forward though I have doubts about some of the configurations. Mainly if they are needed at all. There is naturally also a little doubt how the different NAT configurations should be ordered since I can't see the whole current configuration.
Here are the converted configurations that I wrote
ORIGINAL
global (external) 101 interface
nat (internal) 101 0.0.0.0 0.0.0.0
nat (internal) 101 access-list internal_nat_outbound
access-list internal_nat_outbound extended permit tcp host 10.10.0.150 range 3230 3243 any range 3230 3243
access-list internal_nat_outbound extended permit udp host 10.10.0.150 range 3230 3285 any range 3230 3285
CONVERTED
object service TCP-3230-3243
service tcp source range 3230 3243 destination range 3230 3243
object service UDP-3230-3285
service udp source range 3230 3285 destination range 3230 3285
object network HOST-10.10.0.150
host 10.10.0.150
nat (internal,external) after-auto source dynamic HOST-10.10.0.150 interface service TCP-3230-3243 TCP-3230-3243
nat (internal,external) after-auto source dynamic HOST-10.10.0.150 interface service UDP-3230-3285 UDP-3230-3285
nat (internal,external) after-auto source dynamic any interface
Here my doubt is if the configuration mentioning the ports is really required. You already have the interface PAT which accepts "any" source address and the port using configuration is already PATed to the same interface IP address.
ORIGINAL
global (external) 1 172.20.1.1 netmask 255.0.0.0
nat (internal) 1 access-list internal_nat_outbound_1
access-list internal_nat_outbound_1 extended permit ip 10.10.0.0 255.255.0.0 172.30.52.112 255.255.255.240
CONVERTED
object network NAT-10.10.0.0-16
subnet 10.10.0.0 255.255.0.0
object network NET-172.30.52.112-28
subnet 172.30.52.112 255.255.255.240
object network PAT-172.20.1.1
host 172.20.1.1
nat (internal,external) source dynamic NAT-10.10.0.0-16 PAT-172.20.1.1 destination static NET-172.30.52.112-28 NET-172.30.52.112-28
This configuration seemed that it might be a Dynamic Policy PAT configuration related to some L2L VPN connection perhaps. Otherwise there would not be much sense PATing towards the "external" interface. Unless ofcourse the "external" interface is actually connected to some private network?
ORIGINAL
nat (internal) 0 access-list internal_nat0_outbound
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.10.11.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.10.0 255.255.255.0
CONVERTED
object network NAT-10.10.0.0-16
subnet 10.10.0.0 255.255.0.0
object network NAT-10.10.11.0-24
subnet 10.10.11.0 255.255.255.0
object network NAT-192.168.2.0-24
subnet 192.168.2.0 255.255.255.0
object network NAT-192.168.10.0-24
subnet 192.168.10.0 255.255.255.0
nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-10.10.11.0-24 NAT-10.10.11.0-24
nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-192.168.2.0-24 NAT-192.168.2.0-24
nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-192.168.10.0-24 NAT-192.168.10.0-24
This seems to be a very simply NAT0 configuration so I used Section 1 Manual NAT as there should be high in priority in the NAT configurations so this NAT0 is matched before any of the Static NAT or other configurations you have.
ORIGINAL
static (internal,external) tcp interface pptp 10.10.0.50 pptp netmask 255.255.255.255
static (internal,external) udp interface 1723 10.10.0.50 1723 netmask 255.255.255.255
static (internal,external) udp interface 1812 10.10.0.50 1812 netmask 255.255.255.255
static (internal,external) udp interface 1813 10.10.0.50 1813 netmask 255.255.255.255
static (internal,external) tcp interface www 10.10.0.100 www netmask 255.255.255.255
CONVERTED
object network HOST-10.10.0.50-PPTP
host 10.10.0.50
nat (internal,external) static interface service tcp pptp pptp
object network HOST-10.10.0.50-UDP1723
host 10.10.0.50
nat (internal,external) static interface service udp 1723 1723
object network HOST-10.10.0.50-UDP1812
host 10.10.0.50
nat (internal,external) static interface service udp 1812 1812
object network HOST-10.10.0.50-UDP1813
host 10.10.0.50
nat (internal,external) static interface service udp 1813 1813
object network HOST-10.10.0.100-WWW
host 10.10.0.100
nat (internal,external) static interface service tcp www www
These seem to be basic Static PAT configurations so you simply create a separate "object" for each forwarded port. These are Auto NAT configurations so the NAT0 and Policy type NAT configurations are still matched before these.
ORIGINAL
static (internal,external) 172.20.1.2 access-list internal_nat_static
static (internal,external) 172.20.1.3 access-list internal_nat_static_1
access-list internal_nat_static extended permit ip host 10.10.0.48 172.30.52.112 255.255.255.240
access-list internal_nat_static_1 extended permit ip host 10.10.0.49 172.30.52.112 255.255.255.240
CONVERTED
object network HOST-10.10.0.48
host 10.10.0.48
object network HOST-10.10.0.49
host 10.10.0.49
object network HOST-172.20.1.2
host 172.20.1.2
object network HOST-172.20.1.3
host 172.20.1.3
object network NET-172.30.52.112-28
subnet 172.30.52.112 255.255.255.240
nat (internal,external) source static HOST-10.10.0.48 HOST-172.20.1.2 destination static NET-172.30.52.112-28 NET-172.30.52.112-28
nat (internal,external) source static HOST-10.10.0.49 HOST-172.20.1.3 destination static NET-172.30.52.112-28 NET-172.30.52.112-28
These seem to be related to the Dynamic Policy PAT mentioned earlier (based on the mapped address used). I guess the Dynamic Policy PAT is meant to catch the separate hosts while these Static Policy NAT are meant for hosts that either need their own NAT IP address or they need to be contacted from a remote host behind "external" interface.
ORIGINAL
static (internal,internal) 10.20.0.0 10.20.0.0 netmask 255.255.255.0
static (internal,internal) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (internal,internal) 192.168.11.0 192.168.11.0 netmask 255.255.255.0
CONVERTED
The above ORIGINAL configurations seems like Static Identity NAT for some internal networks but the translation is performed towards the same interface "internal". Though naturally the NAT in this case is not performed.
Typically in the new NAT configuration forma you rarely need to use Identity NAT at all when in the older (8.2 and below) software levels it was required as otherwise traffic might match a Dynamic PAT/NAT configuration and be dropped between local networks firewall interfaces.
Considering the mentioned NAT configurations I can't see a situation where you would need a replacing configuration for these in the new software.
Also I would like to mention with regards to all the above listed NAT configurations that I would suggest using a different naming policy for the "object" configurations unless ofcourse you personally prefer to have a reference to the subnet/host in the "object" name. I personally tend to name PAT address and NAT Pool objects by using the IP address in the "object" name. Also with Static NAT/PAT configurations I tend to mention the NAT IP address in the "object" name. In all other configurations I usually tend to name the objects of hosts/servers/subnets based on their role/location/etc
I will post the above new "nat" configurations in another reply to give a better picture how I would position them in the "nat" configurations (as you can order Dynamic PAT , Dynamic Policy PAT, Static Policy NAT and NAT0 configurations)
Hope this helps :)
- Jouni
07-29-2014 10:22 PM
I have used this in the past and have helped me a lot:
http://www.tunnelsup.com/nat-converter/
Hope this helps!
Thank you for rating helpful posts!
07-30-2014 04:56 AM
Thank you Jouni and Neno, I will digest the above and see if my brain can take it.
Thanks for your help, I will keep you posted.
Mike
07-30-2014 12:37 AM
Hi Mike,
Most of the configurations seem pretty straight forward though I have doubts about some of the configurations. Mainly if they are needed at all. There is naturally also a little doubt how the different NAT configurations should be ordered since I can't see the whole current configuration.
Here are the converted configurations that I wrote
ORIGINAL
global (external) 101 interface
nat (internal) 101 0.0.0.0 0.0.0.0
nat (internal) 101 access-list internal_nat_outbound
access-list internal_nat_outbound extended permit tcp host 10.10.0.150 range 3230 3243 any range 3230 3243
access-list internal_nat_outbound extended permit udp host 10.10.0.150 range 3230 3285 any range 3230 3285
CONVERTED
object service TCP-3230-3243
service tcp source range 3230 3243 destination range 3230 3243
object service UDP-3230-3285
service udp source range 3230 3285 destination range 3230 3285
object network HOST-10.10.0.150
host 10.10.0.150
nat (internal,external) after-auto source dynamic HOST-10.10.0.150 interface service TCP-3230-3243 TCP-3230-3243
nat (internal,external) after-auto source dynamic HOST-10.10.0.150 interface service UDP-3230-3285 UDP-3230-3285
nat (internal,external) after-auto source dynamic any interface
Here my doubt is if the configuration mentioning the ports is really required. You already have the interface PAT which accepts "any" source address and the port using configuration is already PATed to the same interface IP address.
ORIGINAL
global (external) 1 172.20.1.1 netmask 255.0.0.0
nat (internal) 1 access-list internal_nat_outbound_1
access-list internal_nat_outbound_1 extended permit ip 10.10.0.0 255.255.0.0 172.30.52.112 255.255.255.240
CONVERTED
object network NAT-10.10.0.0-16
subnet 10.10.0.0 255.255.0.0
object network NET-172.30.52.112-28
subnet 172.30.52.112 255.255.255.240
object network PAT-172.20.1.1
host 172.20.1.1
nat (internal,external) source dynamic NAT-10.10.0.0-16 PAT-172.20.1.1 destination static NET-172.30.52.112-28 NET-172.30.52.112-28
This configuration seemed that it might be a Dynamic Policy PAT configuration related to some L2L VPN connection perhaps. Otherwise there would not be much sense PATing towards the "external" interface. Unless ofcourse the "external" interface is actually connected to some private network?
ORIGINAL
nat (internal) 0 access-list internal_nat0_outbound
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.10.11.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.10.0 255.255.255.0
CONVERTED
object network NAT-10.10.0.0-16
subnet 10.10.0.0 255.255.0.0
object network NAT-10.10.11.0-24
subnet 10.10.11.0 255.255.255.0
object network NAT-192.168.2.0-24
subnet 192.168.2.0 255.255.255.0
object network NAT-192.168.10.0-24
subnet 192.168.10.0 255.255.255.0
nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-10.10.11.0-24 NAT-10.10.11.0-24
nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-192.168.2.0-24 NAT-192.168.2.0-24
nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-192.168.10.0-24 NAT-192.168.10.0-24
This seems to be a very simply NAT0 configuration so I used Section 1 Manual NAT as there should be high in priority in the NAT configurations so this NAT0 is matched before any of the Static NAT or other configurations you have.
ORIGINAL
static (internal,external) tcp interface pptp 10.10.0.50 pptp netmask 255.255.255.255
static (internal,external) udp interface 1723 10.10.0.50 1723 netmask 255.255.255.255
static (internal,external) udp interface 1812 10.10.0.50 1812 netmask 255.255.255.255
static (internal,external) udp interface 1813 10.10.0.50 1813 netmask 255.255.255.255
static (internal,external) tcp interface www 10.10.0.100 www netmask 255.255.255.255
CONVERTED
object network HOST-10.10.0.50-PPTP
host 10.10.0.50
nat (internal,external) static interface service tcp pptp pptp
object network HOST-10.10.0.50-UDP1723
host 10.10.0.50
nat (internal,external) static interface service udp 1723 1723
object network HOST-10.10.0.50-UDP1812
host 10.10.0.50
nat (internal,external) static interface service udp 1812 1812
object network HOST-10.10.0.50-UDP1813
host 10.10.0.50
nat (internal,external) static interface service udp 1813 1813
object network HOST-10.10.0.100-WWW
host 10.10.0.100
nat (internal,external) static interface service tcp www www
These seem to be basic Static PAT configurations so you simply create a separate "object" for each forwarded port. These are Auto NAT configurations so the NAT0 and Policy type NAT configurations are still matched before these.
ORIGINAL
static (internal,external) 172.20.1.2 access-list internal_nat_static
static (internal,external) 172.20.1.3 access-list internal_nat_static_1
access-list internal_nat_static extended permit ip host 10.10.0.48 172.30.52.112 255.255.255.240
access-list internal_nat_static_1 extended permit ip host 10.10.0.49 172.30.52.112 255.255.255.240
CONVERTED
object network HOST-10.10.0.48
host 10.10.0.48
object network HOST-10.10.0.49
host 10.10.0.49
object network HOST-172.20.1.2
host 172.20.1.2
object network HOST-172.20.1.3
host 172.20.1.3
object network NET-172.30.52.112-28
subnet 172.30.52.112 255.255.255.240
nat (internal,external) source static HOST-10.10.0.48 HOST-172.20.1.2 destination static NET-172.30.52.112-28 NET-172.30.52.112-28
nat (internal,external) source static HOST-10.10.0.49 HOST-172.20.1.3 destination static NET-172.30.52.112-28 NET-172.30.52.112-28
These seem to be related to the Dynamic Policy PAT mentioned earlier (based on the mapped address used). I guess the Dynamic Policy PAT is meant to catch the separate hosts while these Static Policy NAT are meant for hosts that either need their own NAT IP address or they need to be contacted from a remote host behind "external" interface.
ORIGINAL
static (internal,internal) 10.20.0.0 10.20.0.0 netmask 255.255.255.0
static (internal,internal) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (internal,internal) 192.168.11.0 192.168.11.0 netmask 255.255.255.0
CONVERTED
The above ORIGINAL configurations seems like Static Identity NAT for some internal networks but the translation is performed towards the same interface "internal". Though naturally the NAT in this case is not performed.
Typically in the new NAT configuration forma you rarely need to use Identity NAT at all when in the older (8.2 and below) software levels it was required as otherwise traffic might match a Dynamic PAT/NAT configuration and be dropped between local networks firewall interfaces.
Considering the mentioned NAT configurations I can't see a situation where you would need a replacing configuration for these in the new software.
Also I would like to mention with regards to all the above listed NAT configurations that I would suggest using a different naming policy for the "object" configurations unless ofcourse you personally prefer to have a reference to the subnet/host in the "object" name. I personally tend to name PAT address and NAT Pool objects by using the IP address in the "object" name. Also with Static NAT/PAT configurations I tend to mention the NAT IP address in the "object" name. In all other configurations I usually tend to name the objects of hosts/servers/subnets based on their role/location/etc
I will post the above new "nat" configurations in another reply to give a better picture how I would position them in the "nat" configurations (as you can order Dynamic PAT , Dynamic Policy PAT, Static Policy NAT and NAT0 configurations)
Hope this helps :)
- Jouni
07-30-2014 12:48 AM
Hi,
Here are the configurations in the order I would put them in the CLI format configuration. Notice that the top and bottom section support inserting them with a line number to the position you want if you already have existing configurations. This line number is insterted after interface part of the configuration. Adding a configuration to the same line as the existing "nat" configurations acts the same as with ACLs. Anything equal or below the line number inserted gets moved one line down.
nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-10.10.11.0-24 NAT-10.10.11.0-24
nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-192.168.2.0-24 NAT-192.168.2.0-24
nat (internal,external) source static NAT-10.10.0.0-16 NAT-10.10.0.0-16 destination static NAT-192.168.10.0-24 NAT-192.168.10.0-24
nat (internal,external) source static HOST-10.10.0.48 HOST-172.20.1.2 destination static NET-172.30.52.112-28 NET-172.30.52.112-28
nat (internal,external) source static HOST-10.10.0.49 HOST-172.20.1.3 destination static NET-172.30.52.112-28 NET-172.30.52.112-28
nat (internal,external) source dynamic NAT-10.10.0.0-16 PAT-172.20.1.1 destination static NET-172.30.52.112-28 NET-172.30.52.112-28
object network HOST-10.10.0.50-PPTP
host 10.10.0.50
nat (internal,external) static interface service tcp pptp pptp
object network HOST-10.10.0.50-UDP1723
host 10.10.0.50
nat (internal,external) static interface service udp 1723 1723
object network HOST-10.10.0.50-UDP1812
host 10.10.0.50
nat (internal,external) static interface service udp 1812 1812
object network HOST-10.10.0.50-UDP1813
host 10.10.0.50
nat (internal,external) static interface service udp 1813 1813
object network HOST-10.10.0.100-WWW
host 10.10.0.100
nat (internal,external) static interface service tcp www www
nat (internal,external) after-auto source dynamic HOST-10.10.0.150 interface service TCP-3230-3243 TCP-3230-3243
nat (internal,external) after-auto source dynamic HOST-10.10.0.150 interface service UDP-3230-3285 UDP-3230-3285
nat (internal,external) after-auto source dynamic any interface
The idea in short is basically this
Again I have to say that I doubt you need the Dynamic Policy PAT mentioning the ports as the same traffic should match the last Dynamic PAT configuration that does the same translation.
Will now check the original post if I messed something up writing that :P
Hope this helps :)
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more though
- Jouni
07-30-2014 05:33 AM
Jouni,
Thanks again for your help and I think I am getting this. Here is the NAT config in the order that it currently is in the ASA. I omitted the other config and only left in the NAT stuff. Please let me know if that changes anything?
Also what should I correct or take out and why?
Here is the NAT config....
Outside interface is 50.0.0.1
Inside interface is 10.10.0.1
There are many site to site VPN connections - 192.168.X.X
____Config Omitted________
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.10.11.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.30.0.0 255.255.0.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.40.0.0 255.255.0.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.11.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.31.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.32.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.33.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.34.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.35.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.70.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.71.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.72.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.73.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.74.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.75.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.76.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.77.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.78.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.79.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.80.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.81.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.82.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.83.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.84.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.85.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.86.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.87.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.88.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.89.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.90.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.91.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.92.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.93.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.94.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.95.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.97.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.98.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.99.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.101.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.110.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.130.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.132.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.134.0 255.255.255.0
______ Config Omitted ____________
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq ldap
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq smtp
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq imap4
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq pop3
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq https
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq www
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq pptp
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq h323
access-list NATed_Ports extended permit tcp any host 50.0.0.1 range 3230 3243
access-list NATed_Ports extended permit tcp any host 50.0.0.1 eq citrix-ica
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq 1723
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq 1812
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq 1813
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq radius
access-list NATed_Ports extended permit udp any host 50.0.0.1 eq radius-acct
access-list NATed_Ports extended permit udp any host 50.0.0.1 range 3230 3285
access-list NATed_Ports extended permit gre any host 50.0.0.1
access-list NATed_Ports extended permit ah any host 50.0.0.1
access-list NATed_Ports extended deny tcp any any eq ftp-data
access-list NATed_Ports extended deny tcp any any eq ftp
access-list NATed_Ports extended deny tcp any any eq smtp
access-list NATed_Ports extended deny tcp any any eq 3389
______ Config Omitted ____________
access-list internal_nat_outbound extended permit tcp host 10.10.0.150 range 3230 3243 any range 3230 3243
access-list internal_nat_outbound extended permit udp host 10.10.0.150 range 3230 3285 any range 3230 3285
______ Config Omitted ____________
access-list internal_nat_outbound_1 extended permit ip 10.10.0.0 255.255.0.0 172.30.52.112 255.255.255.240
access-list internal_nat_static extended permit ip host 10.10.0.48 172.30.52.112 255.255.255.240
access-list internal_nat_static_1 extended permit ip host 10.10.0.49 172.30.52.112 255.255.255.240
______ Config Omitted ____________
global (external) 101 interface
global (external) 1 172.20.1.1 netmask 255.0.0.0
nat (internal) 0 access-list internal_nat0_outbound
nat (internal) 101 access-list internal_nat_outbound
nat (internal) 1 access-list internal_nat_outbound_1
nat (internal) 101 0.0.0.0 0.0.0.0
static (internal,external) tcp interface pptp 10.10.0.50 pptp netmask 255.255.255.255
static (internal,external) udp interface 1723 10.10.0.50 1723 netmask 255.255.255.255
static (internal,external) udp interface 1812 10.10.0.50 1812 netmask 255.255.255.255
static (internal,external) udp interface 1813 10.10.0.50 1813 netmask 255.255.255.255
static (internal,external) tcp interface www 10.10.0.100 www netmask 255.255.255.255
static (internal,external) tcp interface imap4 10.10.0.100 imap4 netmask 255.255.255.255
static (internal,external) tcp interface ldap 10.10.0.100 ldap netmask 255.255.255.255
static (internal,external) tcp interface pop3 10.10.0.100 pop3 netmask 255.255.255.255
static (internal,external) tcp interface https 10.10.0.100 https netmask 255.255.255.255
static (internal,external) tcp interface smtp 10.10.0.48 smtp netmask 255.255.255.255
static (internal,external) tcp interface h323 10.10.0.150 h323 netmask 255.255.255.255
static (internal,external) tcp interface ftp 10.10.2.64 ftp netmask 255.255.255.255
static (internal,external) tcp interface ftp-data 10.10.2.64 ftp-data netmask 255.255.255.255
static (internal,internal) 10.20.0.0 10.20.0.0 netmask 255.255.255.0
static (internal,internal) 10.30.0.0 10.30.0.0 netmask 255.255.0.0
static (internal,internal) 10.40.0.0 10.40.0.0 netmask 255.255.0.0
static (internal,internal) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (internal,internal) 192.168.11.0 192.168.11.0 netmask 255.255.255.0
static (internal,internal) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (internal,internal) 192.168.31.0 192.168.31.0 netmask 255.255.255.0
static (internal,internal) 192.168.32.0 192.168.32.0 netmask 255.255.255.0
static (internal,internal) 192.168.33.0 192.168.33.0 netmask 255.255.255.0
static (internal,internal) 192.168.34.0 192.168.34.0 netmask 255.255.255.0
static (internal,internal) 192.168.35.0 192.168.35.0 netmask 255.255.255.0
static (internal,internal) 192.168.110.0 192.168.110.0 netmask 255.255.255.0
static (internal,internal) 192.168.130.0 192.168.130.0 netmask 255.255.255.0
static (internal,internal) 192.168.132.0 192.168.132.0 netmask 255.255.255.0
static (internal,internal) 192.168.134.0 192.168.134.0 netmask 255.255.255.0
static (internal,external) 172.20.1.2 access-list internal_nat_static
static (internal,external) 172.20.1.3 access-list internal_nat_static_1
access-group NATed_Ports in interface external
access-group internal_access_in in interface internal
______ Config Omitted ____________
07-30-2014 06:27 AM
Hi,
So this is the full NAT configuration? If so I guess there are not really many things that would need to be added compared to what I have already listed. Except ofcourse follow the same logic with the Static PAT configurations etc.
Though you would be able to condense your big NAT0 configuration to a lot smaller configuration in the new NAT configuration format. We would not be doing a "nat" configuration for each ACL line in the old configuration but we could rather group all the destination subnets and configure them all in a single "nat" command
Something like this
object network LOCAL-SITE-LAN
subnet 10.10.0.0 255.255.0.0
object-group network REMOTE-SITES
network-object 10.10.11.0 255.255.255.0
network-object 10.30.0.0 255.255.0.0
network-object 10.20.0.0 255.255.255.0
network-object 10.40.0.0 255.255.0.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.30.0 255.255.255.0
network-object 192.168.31.0 255.255.255.0
network-object 192.168.32.0 255.255.255.0
network-object 192.168.33.0 255.255.255.0
network-object 192.168.34.0 255.255.255.0
network-object 192.168.35.0 255.255.255.0
network-object 192.168.70.0 255.255.255.0
network-object 192.168.71.0 255.255.255.0
network-object 192.168.72.0 255.255.255.0
network-object 192.168.73.0 255.255.255.0
network-object 192.168.74.0 255.255.255.0
network-object 192.168.75.0 255.255.255.0
network-object 192.168.76.0 255.255.255.0
network-object 192.168.77.0 255.255.255.0
network-object 192.168.78.0 255.255.255.0
network-object 192.168.79.0 255.255.255.0
network-object 192.168.80.0 255.255.255.0
network-object 192.168.81.0 255.255.255.0
network-object 192.168.82.0 255.255.255.0
network-object 192.168.83.0 255.255.255.0
network-object 192.168.84.0 255.255.255.0
network-object 192.168.85.0 255.255.255.0
network-object 192.168.86.0 255.255.255.0
network-object 192.168.87.0 255.255.255.0
network-object 192.168.88.0 255.255.255.0
network-object 192.168.89.0 255.255.255.0
network-object 192.168.90.0 255.255.255.0
network-object 192.168.91.0 255.255.255.0
network-object 192.168.92.0 255.255.255.0
network-object 192.168.93.0 255.255.255.0
network-object 192.168.94.0 255.255.255.0
network-object 192.168.95.0 255.255.255.0
network-object 192.168.96.0 255.255.255.0
network-object 192.168.97.0 255.255.255.0
network-object 192.168.98.0 255.255.255.0
network-object 192.168.99.0 255.255.255.0
network-object 192.168.101.0 255.255.255.0
network-object 192.168.110.0 255.255.255.0
network-object 192.168.130.0 255.255.255.0
network-object 192.168.132.0 255.255.255.0
network-object 192.168.134.0 255.255.255.0
nat (internal,external) source static LOCAL-SITE-LAN LOCAL-SITE-LAN destination static REMOTE-SITES REMOTE-SITES
With the above if you had new Remote Sites you would only need to add the remote network to the mentioned "object-group" and naturally to the Crypto ACL used in the actual L2L VPN configuration. Naturally if you needed a new source network for the L2L VPN then I would suggest perhaps creating a new "nat" configuration or creating an "object-group" for the source networks (as "object network" can only hold one subnet)
Also regarding your external ACL remember that with the new software you need to allow the traffic towards the real/local IP address rather than the public IP address used in the NAT.
I noticed that you have allowed some traffic towards the external IP address for which there is no real NAT configuration (or there cant be) in these situations I guess the only solution is to use the destination address of "any". I am referring to the rules for "gre" and "ah" and the port range "3230 3285" atleast.
I am not sure if the external ACL is needed for the "gre" and "ah". Who knows, it might be so. Though if this traffic was destined to a single host on the internal network then you would have to have a Static NAT configuration on the firewall (which I dont see) as Static PAT cant pass GRE traffic for example or rather you cant configure a Static PAT for GRE.
Hope this helps :)
- Jouni
07-30-2014 06:49 AM
Thanks again.... You are such a great help.
I am now going to absorb all this and put it all together and see what happens.
Stay tuned for more questions......
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide