Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1506
Views
0
Helpful
2
Replies

NAT / PAT config conversion from PIX v6 to ASA Software 8.3 and above

Malcolm Booden
Level 1
Level 1

‎03-09-2012 07:35 AM - edited ‎03-11-2019 03:40 PM

Hi folks,

I'm currently working on converting some PIX firewall configs to ASA and wanted to check I was on the right track, as I don't currently have the ASA's so doing the configs up front!

Everything seems straight forward in the conversion and I've used the pixtoasa tool for some of it, but NAT is implemented differently  on 8.3, the PIX was running v6 and I'm used to doing mainly static one to one NAT in ASDM.

The  scenario that the PIX has 3 NAT groups which are mapped to 3 separate  addresses, where multiple hosts are behint the NAT / PAT.  Current  config of the PIX is as follows (obviously the names are defined further up the config so this is an extract of the PIX):

---------------------------------------------

global (outside) 1 10.50.50.38

global (outside) 2 10.50.50.39

global (outside) 3 10.50.50.49

nat (inside) 0 access-list no-nat-all

nat (inside) 2 Host_1 255.255.255.255 0 0

nat (inside) 2 Host_2 255.255.255.255 0 0

nat (inside) 2 Host_3 255.255.255.255 0 0

nat (inside) 1 Host_4 255.255.255.255 0 0

nat (inside) 1 Host_5 255.255.255.255 0 0

nat (inside) 1 Host_6 255.255.255.255 0 0

nat (inside) 1 Host_7 255.255.255.255 0 0

nat (inside) 3 Network_3 255.255.255.0 0 0

----------------------------------------------------------

ASA Config

After a fair amount of reading up on this topic, I'm looking at changing the ASA config in software version 8.3  to the following - Also is it easier to just do this in  ASDM?  Looks pretty easy from youtube videos but rather have something  to put on the box when I arrive at site NAT wise as opposed to working  it out there!

############
Define NAT Objects (outside IP addreses)
############

object network NAT_1_outside_10.50.50.38

host 10.50.50.38

object network NAT_2_outside_10.50.50.39

host 10.50.50.39

object network NAT_3_outside_10.50.50.49

host 10.50.50.49

exit

############
Define NAT Objects (inside IP addreses)
############

object-group network NAT_1_Objects

network-object Host_4 255.255.255.255

network-object Host_5 255.255.255.255

network-object Host_6 255.255.255.255

network-object Host_7 255.255.255.255

nat (inside,outside) dynamic NAT_1_outside_10.50.50.38

object-group network NAT_2_Objects

network-object Host_1 255.255.255.255

network-object Host_2 255.255.255.255

network-object Host_3 255.255.255.255

nat (inside,outside) dynamic NAT_2_outside_10.50.50.39

object-group network NAT_3_Objects

network-object Network_1 255.255.255.0

nat (inside,outside) dynamic NAT_3_outside_10.50.50.49

Any assistance with this would be appreciated.

cheers

Malcolm

Labels:
0 Helpful
2 Replies 2

mirober2
Cisco Employee
Cisco Employee

‎03-24-2012 09:40 AM

Hi Malcolm,

You have the idea right conceptually, but the syntax is not quite right. You can only configure a NAT rule in global config mode or under an object, not under an object-group.

What you're trying to achieve would look something like this (in global config mode):

ASA(config)# nat (inside,outside) source dynamic NAT_1_Objects NAT_1_outside_10.50.50.38

-Mike

0 Helpful

llamaw0rksE
Level 1
Level 1
In response to mirober2

‎03-25-2012 10:23 AM

I cannot make heads or tails of what your trying to accomplish in plain english first before looking at router setup.

If your talking about hosting servers behind the router on your private LAN (asssuming one public WANIP).  Then one uses ACLs to control external users by individual OR GROUP and static NAT to port forward users to the correct server.  One does not worry about groups of users for this direction of nat rule.

If what your saying is that you have a LAN and 3 different groups of users on the LAN that need to go to specific external IP addresses (external servers) then once again I would say you should ACLs to limit-authorize users and simply use NAT for port translation purposes.    So conceptually speaking allow all lan users  static nat, and then only allow group 1 hosts access to first external IP,  group 2 hosts to second external IP, and group 3 hosts to third external IP.  Note you will have to add a deny rule in firewall in general because normally higher to lower security interface is allowed by default.

Am I close......... before going any further need more details on the requirements nevermind setup.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card