Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT configuration on PIX to ASA

 

Hi,

I have below configuration on my PIX 8.0 which I want to convert into ASA 9.1 :

 nat (Cust-DMZ) 0 access-list Cust-DMZ_nat0_outbound

access-list Cust-DMZ_nat0_outbound extended permit ip host 10.2.1.175 host 10.10.49.30
access-list Cust-DMZ_nat0_outbound extended permit ip host 1.1.1.58 host 1.1.1.57
access-list Cust-DMZ_nat0_outbound extended permit ip host 172.29.83.2 host 172.29.83.1
access-list Cust-DMZ_nat0_outbound extended permit ip host 202.138.123.75 host 10.10.11.20
access-list Cust-DMZ_nat0_outbound extended permit ip host 10.14.1.11 host 10.10.50.150

 

And, there is no "NAT (global) 0 " command in PIX for this configuration.

How can I use this in ASA..?

 

Regards,

Ninad

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Hi, The configurations is

Hi,

 

The configurations is going to be bigger atleast. I did like the NAT0 more in the old software when you could use the ACL configuration to handle it and not bloat the NAT configuration needlesly.

There are some strange ACEs in that ACL. I mean the rules where the source and destination seem to be either from the same subnet or just simply host address (perhaps loopback interface IP addresses somewhere in the network?) that wouldnt expect to use the firewall to communicate? Though I will assume those configurations are needed.

 

You could try the following configuration though I naturally suggest perhaps coming with some other naming policy for the "object" configuration if needed.

 

object network HOST-10.2.1.175
 host 10.2.1.175

object network HOST-10.10.49.30
 host 10.10.49.30

object network HOST-1.1.1.58
 host 1.1.1.58

object network HOST-1.1.1.57
 host 1.1.1.57

object network HOST-172.29.83.2
 host 172.29.83.2

object network HOST-172.29.83.1
 host 172.29.83.1

object network HOST-202.138.123.75
 host 202.138.123.75

object network HOST-10.10.11.20
 host 10.10.11.20

object network HOST-10.14.1.11
 host 10.14.1.11

object network HOST-10.10.50.150
 host 10.10.50.150

nat (Cust-DMZ,any) source static HOST-10.2.1.175 HOST-10.2.1.175 destination static HOST-10.10.49.30 HOST-10.10.49.30
nat (Cust-DMZ,any) source static HOST-1.1.1.58 HOST-1.1.1.58 destination static HOST-1.1.1.57 HOST-1.1.1.57
nat (Cust-DMZ,any) source static HOST-172.29.83.2 HOST-172.29.83.2 destination static HOST-172.29.83.1 HOST-172.29.83.1
nat (Cust-DMZ,any) source static HOST-202.138.123.75 HOST-202.138.123.75 destination static HOST-10.10.11.20 HOST-10.10.11.20
nat (Cust-DMZ,any) source static HOST-10.14.1.11 HOST-10.14.1.11 destination static HOST-10.10.50.150 HOST-10.10.50.150

 

Notice that I configured the destination interface as "any". With that setting it should define the destination interface based on your ASAs routing table. I personally tend to define that interface but can't do that in this case as I cant see your routing configuration or routing table.

If you want to read up some on the new NAT configuration format you  can check a document that I wrote in 2013.

Sadly the update to these forums also changed the layout of the document a bit some things aren't really as I wish them to be.

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

 

Hope this helps :)

 

- Jouni

 

 

1 REPLY
Super Bronze

Hi, The configurations is

Hi,

 

The configurations is going to be bigger atleast. I did like the NAT0 more in the old software when you could use the ACL configuration to handle it and not bloat the NAT configuration needlesly.

There are some strange ACEs in that ACL. I mean the rules where the source and destination seem to be either from the same subnet or just simply host address (perhaps loopback interface IP addresses somewhere in the network?) that wouldnt expect to use the firewall to communicate? Though I will assume those configurations are needed.

 

You could try the following configuration though I naturally suggest perhaps coming with some other naming policy for the "object" configuration if needed.

 

object network HOST-10.2.1.175
 host 10.2.1.175

object network HOST-10.10.49.30
 host 10.10.49.30

object network HOST-1.1.1.58
 host 1.1.1.58

object network HOST-1.1.1.57
 host 1.1.1.57

object network HOST-172.29.83.2
 host 172.29.83.2

object network HOST-172.29.83.1
 host 172.29.83.1

object network HOST-202.138.123.75
 host 202.138.123.75

object network HOST-10.10.11.20
 host 10.10.11.20

object network HOST-10.14.1.11
 host 10.14.1.11

object network HOST-10.10.50.150
 host 10.10.50.150

nat (Cust-DMZ,any) source static HOST-10.2.1.175 HOST-10.2.1.175 destination static HOST-10.10.49.30 HOST-10.10.49.30
nat (Cust-DMZ,any) source static HOST-1.1.1.58 HOST-1.1.1.58 destination static HOST-1.1.1.57 HOST-1.1.1.57
nat (Cust-DMZ,any) source static HOST-172.29.83.2 HOST-172.29.83.2 destination static HOST-172.29.83.1 HOST-172.29.83.1
nat (Cust-DMZ,any) source static HOST-202.138.123.75 HOST-202.138.123.75 destination static HOST-10.10.11.20 HOST-10.10.11.20
nat (Cust-DMZ,any) source static HOST-10.14.1.11 HOST-10.14.1.11 destination static HOST-10.10.50.150 HOST-10.10.50.150

 

Notice that I configured the destination interface as "any". With that setting it should define the destination interface based on your ASAs routing table. I personally tend to define that interface but can't do that in this case as I cant see your routing configuration or routing table.

If you want to read up some on the new NAT configuration format you  can check a document that I wrote in 2013.

Sadly the update to these forums also changed the layout of the document a bit some things aren't really as I wish them to be.

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

 

Hope this helps :)

 

- Jouni

 

 

57
Views
0
Helpful
1
Replies
CreatePlease login to create content