Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

More help with NAT from 8.2 to 9.1

I have the following I need to convert to the New NAT, not sure how to do this.

 

access-list NATed_Ports extended permit tcp any host 50.0.0.2 eq ldap
access-list NATed_Ports extended permit tcp any host 50.0.0.2 eq smtp
access-list NATed_Ports extended permit tcp any host 50.0.0.2 eq imap4
access-list NATed_Ports extended permit tcp any host 50.0.0.2 eq pop3
access-list NATed_Ports extended permit tcp any host 50.0.0.2 eq https
access-list NATed_Ports extended permit tcp any host 50.0.0.2 eq www
access-list NATed_Ports extended permit tcp any host 50.0.0.2 eq pptp
access-list NATed_Ports extended permit tcp any host 50.0.0.2 eq h323
access-list NATed_Ports extended permit tcp any host 50.0.0.2 range 3230 3243
access-list NATed_Ports extended permit tcp any host 50.0.0.2 eq citrix-ica
access-list NATed_Ports extended permit udp any host 50.0.0.2 eq 1723
access-list NATed_Ports extended permit udp any host 50.0.0.2 eq 1812
access-list NATed_Ports extended permit udp any host 50.0.0.2 eq 1813
access-list NATed_Ports extended permit udp any host 50.0.0.2 eq radius
access-list NATed_Ports extended permit udp any host 50.0.0.2 eq radius-acct
access-list NATed_Ports extended permit udp any host 50.0.0.2 range 3230 3285
access-list NATed_Ports extended permit gre any host 50.0.0.2
access-list NATed_Ports extended permit ah any host 50.0.0.2
access-list NATed_Ports extended deny tcp any any eq ftp-data
access-list NATed_Ports extended deny tcp any any eq ftp
access-list NATed_Ports extended deny tcp any any eq smtp
access-list NATed_Ports extended deny tcp any any eq 3389


access-group NATed_Ports in interface external


interface GigabitEthernet0/0
 speed 100
 duplex full
 nameif external
 security-level 0
 ip address 50.0.0.2 255.255.255.248

 

Thanks,

Mike

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Hi, The previous discussion

Hi,

 

The previous discussion listed the configuration formats required to convert all the configurations to the new software level.

 

I don't remember if I posted the corrected version of the ACL above but as I said for the Static PAT configurations that forward a specific port towards an internal host require the corresponding ACL line to allow the mentioned port to the local/real IP address  mentioned in the Static PAT configurations.

 

If you for example have the following Static PAT configuration

 

object network WEB-SERVER
 host 10.10.10.10
 nat (inside,outside) static interface service tcp 80 80

 

Then you would be using the following line in the ACL that controls traffic from the external network

 

access-list <acl name> permit tcp any host 10.10.10.10 eq 80

 

Or you could use the created "object" as it contains the same IP address

 

access-list <acl name> permit tcp any object WEB-SERVER eq 80

 

So you should convert the above ACL you have to allow the services for which you have Static PAT configured and change the above IP address of 50.0.0.2 to the actual local/real IP address used in the Static PAT for each service.

 

Naturally if in doubt you can leave the other rules in the ACL if you want to play it safe an later check if they are even getting any hits. If not then you can later safely remove them from the ACL.

 

Again I would remind you that the ACL should have no reference to the actual public IP address 50.0.0.2 in the new form. Only the local/real IP addresses used in the different NAT configurations.

 

Hope I made any sense. :)

 

- Jouni

 

4 REPLIES
Super Bronze

Hi again Mike, As you can see

Hi again Mike,

 

As you can see this ACL is used as the external interfaces ACL to control inbound traffic. From what I remember from the last discussion related to these NAT configurations you have a Dynamic PAT configured using the "external" interface IP address and also some Static PAT (Port Forward) configurations.

 

One essential thing to remember with the new NAT is the effects on the ACL format also. Previously you allowed traffic towards the mapped/NAT address while in the new software levels you should allow traffic to the local/real IP address and NEVER the NAT IP address.

 

Also, you seemed to have some ports allowed in the above ACLs for which you had no Static PAT configured and there is ofcourse services like "ah" and "gre" which cant be forwarded like TCP/UDP ports. In those cases I think the ACL rules refer to allowing some traffic towards the hosts that are using the Dynamic PAT translation. I am not sure if this is ever needed. I do remember some occasions where it has seemed like that.

 

Since we are talking about a Dynamic PAT translation and since the new software requires using the real/local IP address in the ACL rules rather than the NAT (PAT) IP address then I guess the only solution would really be to allow the traffic to either "any" destination address or the whole internal subnet that you have behind the firewall.

 

But as I said before in the other discussion. I am not really sure if you really need to allow any other traffic in the "external" interfaces ACL other than those for which you have Static PAT configuration. Also as I said the above is not in any way a NAT configuration that could be corverted. It is simply an ACL named to refer NAT and attached to the "external" interface to control what traffic is allowed through the ASA.

 

Hope this helps :)

 

- Jouni

 

Thanks again. I checked the

Thanks again. I checked the other post and I was not clear on this part so I separated it out here in case I missed something. I am not sure why NAT is giving me such a problem, I just keep second guessing my self. I think I need to just spend a week cramming this in my head until I know this down pat.....like you :-)

 

So what I get form this is that is really not needed any longer and what we talked about before should cover what I need.

I really appreciate your help and patience.

 

Mike

Super Bronze

Hi, The previous discussion

Hi,

 

The previous discussion listed the configuration formats required to convert all the configurations to the new software level.

 

I don't remember if I posted the corrected version of the ACL above but as I said for the Static PAT configurations that forward a specific port towards an internal host require the corresponding ACL line to allow the mentioned port to the local/real IP address  mentioned in the Static PAT configurations.

 

If you for example have the following Static PAT configuration

 

object network WEB-SERVER
 host 10.10.10.10
 nat (inside,outside) static interface service tcp 80 80

 

Then you would be using the following line in the ACL that controls traffic from the external network

 

access-list <acl name> permit tcp any host 10.10.10.10 eq 80

 

Or you could use the created "object" as it contains the same IP address

 

access-list <acl name> permit tcp any object WEB-SERVER eq 80

 

So you should convert the above ACL you have to allow the services for which you have Static PAT configured and change the above IP address of 50.0.0.2 to the actual local/real IP address used in the Static PAT for each service.

 

Naturally if in doubt you can leave the other rules in the ACL if you want to play it safe an later check if they are even getting any hits. If not then you can later safely remove them from the ACL.

 

Again I would remind you that the ACL should have no reference to the actual public IP address 50.0.0.2 in the new form. Only the local/real IP addresses used in the different NAT configurations.

 

Hope I made any sense. :)

 

- Jouni

 

Thanks. I think it is

Thanks. I think it is starting to sink in. I will read some more and see if I have more questions.

 

Thanks,

Mike

50
Views
5
Helpful
4
Replies
CreatePlease to create content