Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

nat0 and identity nat on ASA 8.6

Hello all,

I am trying to convert the configurations of PIX 6.3.x to ASA software version 8.6.

I notice that version 8.6 has a different NAT behaviour and configuration from its previous ASA versions.

I have already used the tool and converted the configurations. Can you please advise if NAT was converted fine and if it’s ok to remove nat0 and identity nat on the new ASA 8.6?

Thanks in advance,

Kris...

Everyone's tags (9)
6 REPLIES
VIP Purple

nat0 and identity nat on ASA 8.6

nat0 is done with "twice NAT" on ASA v8.3+. Here is the config-guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_rules.html

If you need any more help, then just post your NAT-config.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

nat0 and identity nat on ASA 8.6

Hello Karsten,

Appreciate your quick response....

Here is the NAT-config as requested...please let me know if you need more.

global (outside) 1 10.248.46.248
global (outside) 2 10.248.46.249
global (outside) 3 10.248.46.252
nat (inside) 3 access-list cacti-NAT 0 0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (dcndmz) 0 access-list dmznated
nat (dcndmz) 1 192.168.240.129 255.255.255.255 0 0
nat (dcndmz) 2 192.168.240.132 255.255.255.255 0 0
nat (corp2dcndmz) 0 0.0.0.0 0.0.0.0 0 0
nat (corpdmz) 0 0.0.0.0 0.0.0.0 0 0

Rgds,

Kris...

New Member

Re: nat0 and identity nat on ASA 8.6

HI,

nat (dcndmz) 1 192.168.240.129 255.255.255.255 0 0
global (outside) 1 10.248.46.248
will get replaced by

Object Network IP_192.168.240.129

host 192.168.240.129

nat (inside, outside) static 10.248.46.248

nat (dcndmz) 2 192.168.240.132 255.255.255.255 0 0
global (outside) 2 10.248.46.249

will get replaced by

Object Network IP_192.168.240.132

host 192.168.240.132

nat (inside, outside) static 10.248.46.249


For Nat 0 you can use twice Nat as per below example.

nat(inside,outside) static source IP_192.168.240.129  IP_192.168.240.129 destination static IP_10.248.46.248 IP_10.248.46.248

Let me know if you need anything else or else kinldy post 3rd Nat information i.e. access-list.

Cheers!!

Pankaj

New Member

nat0 and identity nat on ASA 8.6

Hello Pankaj,

Thanks for the inputs... I will accept the offier for access list...so here it goes..

access-list corpdcn deny tcp host 10.248.40.230 any 
access-list corpdcn permit udp object-group corp-ntp-servers object-group dcn-ntp-servers eq ntp 
access-list corpdcn permit tcp object-group retail-stores host 192.168.240.197 eq 135 
access-list corpdcn permit ip host 10.248.61.14 192.168.2.0 255.255.255.0 log 2 
access-list corpdcn permit ip host 10.248.61.12 192.168.2.0 255.255.255.0 log 2 
access-list corpdcn permit tcp 10.248.0.0 255.248.0.0 object-group datastagesrvrs object-group datastage 
access-list corpdcn permit ip host 10.248.61.14 192.168.130.0 255.255.255.0 log 2 
access-list corpdcn permit ip host 10.248.61.12 192.168.130.0 255.255.255.0 log 2 
access-list corpdcn permit ip host 10.248.61.60 192.168.0.0 255.255.0.0 log 2 
access-list corpdcn permit tcp host 10.248.44.62 host 192.168.131.98 eq 18184 

I did not understand the correction you got back with..."typo 192.168.240.129* and 192.168.240.132*"

Thanks in advance,

Kris...

New Member

nat0 and identity nat on ASA 8.6

Can someone please help me throw more light into this?...

Thanks & Rgds

Kris...

New Member

nat0 and identity nat on ASA 8.6

HI,

Please follow below link to configure the same.

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_rules.pdf

Cheers!!

Pankaj

Please rate helpful answers which is better than saying "Thank You".

776
Views
0
Helpful
6
Replies
CreatePlease to create content