NAT / PAT config conversion from PIX v6 to ASA Software 8.3 and above
I'm currently working on converting some PIX firewall configs to ASA and wanted to check I was on the right track, as I don't currently have the ASA's so doing the configs up front!
Everything seems straight forward in the conversion and I've used the pixtoasa tool for some of it, but NAT is implemented differently on 8.3, the PIX was running v6 and I'm used to doing mainly static one to one NAT in ASDM.
The scenario that the PIX has 3 NAT groups which are mapped to 3 separate addresses, where multiple hosts are behint the NAT / PAT. Current config of the PIX is as follows (obviously the names are defined further up the config so this is an extract of the PIX):
After a fair amount of reading up on this topic, I'm looking at changing the ASA config in software version 8.3 to the following - Also is it easier to just do this in ASDM? Looks pretty easy from youtube videos but rather have something to put on the box when I arrive at site NAT wise as opposed to working it out there!
############ Define NAT Objects (outside IP addreses) ############
object network NAT_1_outside_10.50.50.38
object network NAT_2_outside_10.50.50.39
object network NAT_3_outside_10.50.50.49
############ Define NAT Objects (inside IP addreses) ############
Re: NAT / PAT config conversion from PIX v6 to ASA Software 8.3
I cannot make heads or tails of what your trying to accomplish in plain english first before looking at router setup.
If your talking about hosting servers behind the router on your private LAN (asssuming one public WANIP). Then one uses ACLs to control external users by individual OR GROUP and static NAT to port forward users to the correct server. One does not worry about groups of users for this direction of nat rule.
If what your saying is that you have a LAN and 3 different groups of users on the LAN that need to go to specific external IP addresses (external servers) then once again I would say you should ACLs to limit-authorize users and simply use NAT for port translation purposes. So conceptually speaking allow all lan users static nat, and then only allow group 1 hosts access to first external IP, group 2 hosts to second external IP, and group 3 hosts to third external IP. Note you will have to add a deny rule in firewall in general because normally higher to lower security interface is allowed by default.
Am I close......... before going any further need more details on the requirements nevermind setup.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...