Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

NAT/PAT Change issues in ASA 8.3(1)

Hello All,

I am in the process of migrating from a PIX 515 running 7.2 to an ASA 5520 running 8.3 and I'm having an issue with the new NAT commands. Currently I am using PAT in the following manner:

static (inside,outside) tcp 10.10.10100 41056 192.168.1.108 41056 netmask 255.255.255.255

Can anyone please give me an insight as to what this command would look like under 8.3? 

Thanks,

Kevin

3 REPLIES

Re: NAT/PAT Change issues in ASA 8.3(1)

Kevin,

In order to migrate the command (8.2 and below):

static (inside,outside) tcp 10.10.10.100 41056 192.168.1.108 41056 netmask 255.255.255.255

The syntax for 8.3 is:

object network obj-192.168.1.108

     host 192.168.1.108

     nat (inside,outside) static 10.10.10.100 service tcp 41056 41056

Please refer to this document:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968

Note:

If you upgrade to 8.3 you don't need to change or migrate the NAT statements, the configuration will automatically adjust to the new syntax.

Federico.

Community Member

Re: NAT/PAT Change issues in ASA 8.3(1)

Thanks and that works except...

it only allows me to PAT one TCP port to an inside address at one time.

So if I want to do the following:

static (inside,outside) tcp 10.10.10.100 41056 192.168.1.108 41056 netmask 255.255.255.255

static (inside,outside) tcp 10.10.10.100 31056 192.168.1.108 31056 netmask 255.255.255.255
static (inside,outside) tcp 10.10.10.100 21056 192.168.1.108 21056 netmask 255.255.255.255

static (inside,outside) tcp 10.10.10.100 41056 192.168.1.109 41057 netmask 255.255.255.255

static (inside,outside) tcp 10.10.10.100 31057 192.168.1.109 31057 netmask 255.255.255.255

static (inside,outside) tcp 10.10.10.100 21057 192.168.1.109 21057 netmask 255.255.255.255

so that if a packet hits the external interface IP address 10.10.10.100 on ports 41056/31056/21056, it gets NAT'd  to 192.168.1.108 and if it hits 10.10.10.100 on ports 41057/31057/21057, it NATs to 192.168.1.109.

Is this still possible?

Kevin

Re: NAT/PAT Change issues in ASA 8.3(1)

Kevin,

To be honest I have not done it in 8.3 yet.

But it seems that can be done if you define another network-object.

Insted of:

object network obj-192.168.1.108
     host 192.168.1.108
     nat (inside,outside) static 10.10.10.100 service tcp 41056 41056

object network obj-192.168.1.108
     host 192.168.1.108
     nat (inside,outside) static

Federico.

862
Views
0
Helpful
3
Replies
CreatePlease to create content