Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1080
Views
0
Helpful
3
Replies

NAT/PAT Change issues in ASA 8.3(1)

kevburgess
Level 1
Level 1

‎05-12-2010 07:00 AM - edited ‎03-11-2019 10:44 AM

Hello All,

I am in the process of migrating from a PIX 515 running 7.2 to an ASA 5520 running 8.3 and I'm having an issue with the new NAT commands. Currently I am using PAT in the following manner:

static (inside,outside) tcp 10.10.10100 41056 192.168.1.108 41056 netmask 255.255.255.255

Can anyone please give me an insight as to what this command would look like under 8.3? 

Thanks,

Kevin

Labels:
0 Helpful
3 Replies 3

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-12-2010 08:23 AM

Kevin,

In order to migrate the command (8.2 and below):

static (inside,outside) tcp 10.10.10.100 41056 192.168.1.108 41056 netmask 255.255.255.255

The syntax for 8.3 is:

object network obj-192.168.1.108

     host 192.168.1.108

     nat (inside,outside) static 10.10.10.100 service tcp 41056 41056

Please refer to this document:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968

Note:

If you upgrade to 8.3 you don't need to change or migrate the NAT statements, the configuration will automatically adjust to the new syntax.

Federico.

0 Helpful

kevburgess
Level 1
Level 1
In response to Federico Coto Fajardo

‎05-12-2010 12:28 PM

Thanks and that works except...

it only allows me to PAT one TCP port to an inside address at one time.

So if I want to do the following:

static (inside,outside) tcp 10.10.10.100 41056 192.168.1.108 41056 netmask 255.255.255.255

static (inside,outside) tcp 10.10.10.100 31056 192.168.1.108 31056 netmask 255.255.255.255
static (inside,outside) tcp 10.10.10.100 21056 192.168.1.108 21056 netmask 255.255.255.255

static (inside,outside) tcp 10.10.10.100 41056 192.168.1.109 41057 netmask 255.255.255.255

static (inside,outside) tcp 10.10.10.100 31057 192.168.1.109 31057 netmask 255.255.255.255

static (inside,outside) tcp 10.10.10.100 21057 192.168.1.109 21057 netmask 255.255.255.255

so that if a packet hits the external interface IP address 10.10.10.100 on ports 41056/31056/21056, it gets NAT'd  to 192.168.1.108 and if it hits 10.10.10.100 on ports 41057/31057/21057, it NATs to 192.168.1.109.

Is this still possible?

Kevin

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to kevburgess

‎05-12-2010 01:15 PM

Kevin,

To be honest I have not done it in 8.3 yet.

But it seems that can be done if you define another network-object.

Insted of:

object network obj-192.168.1.108
     host 192.168.1.108
     nat (inside,outside) static 10.10.10.100 service tcp 41056 41056

object network obj-192.168.1.108
     host 192.168.1.108
     nat (inside,outside) static

Federico.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card