Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Gold

Old NAT to Version 8.4(2), Yelp!!!

Hi guys,

I have to change an old NAT config into the 8.4(2) version. i read Cisco migration Docs n everything but still im kind of confused. it'd be nice if someone can help me with this example:

OLD Config:

nat-control

!

nat (vlan12) 0 access-list No_Nat

!

access-list No_Nat extended permit ip any any

access-list allowany extended permit ip any any

!

!

access-group allowany in interface outside

Thanx a milion...

Soroush.       

Hope it Helps, Soroush.
Everyone's tags (3)
7 REPLIES
Super Bronze

Re: Old NAT to Version 8.4(2), Yelp!!!

Hi,

To be honest I have never configured NAT in such a way even on the older software. I have always defined atleast the source address/network and usually the destination too.

I would personally probably configure the networks behind interface "vlan12" under and "object-group network" and then use that in a NAT configurations

For example

object-group network VLAN12-NETWORKS

network-object 10.10.12.0 255.255.255.0

network-object 10.10.112.0 255.255.255.0

network-object 10.10.212.0 255.255.255.0

nat (vlan12,any) source static VLAN12-NETWORKS VLAN12-NETWORKS

One option I thought was also

nat (vlan12,any) source static any any

But I tend to avoid using "any" in NAT configurations.

I am not sure in what kind of network this original NAT configurations is in use. Are there perpaps only public IP addresses used behind this interface? Or is this perhaps some internal firewall that is not meant to perform private to public NAT for the networks?

- Jouni

Gold

Re: Old NAT to Version 8.4(2), Yelp!!!

thank you for ur reply, i got the concept of modular configuration and object network but im not sure how to use it for this any any situation... 

is this nat (vlan12,any) source static any any   really an option? that could help!

there are public addresses behind the interfaces, so it actually is not doing NAT. i've been asked to migrate the exact same config to 8.4 and the more i read on Cisco.com the more i get confused.

how about the nat-control command, should i do something about it or just forget it since its deprecated?

thanks again,

Soroush.

Hope it Helps, Soroush.
Super Bronze

Re: Old NAT to Version 8.4(2), Yelp!!!

Hi,

There is no more "nat-control"

On a very basic firewall setup you would currently only configure Dynamic PAT/NAT towards the public network. No other NAT would be needed for example between your local interface if you didnt specifically want to NAT the addresses.

The idea by using the "object-group network" to group all the networks behind "vlan12" was simply to try to keep the NAT operation the same wihtout using the "any" parameter.

I did write a NAT 8.3+ document here on the CSC. Though its still work in progress

https://supportforums.cisco.com/docs/DOC-31116

- Jouni

Gold

Re: Old NAT to Version 8.4(2), Yelp!!!

u r from Finland then... up so late! DK here

So what you basically mean is that, while in the older version it needed the above configuration to allow Any traffic to flow freely (without NAT) between my interfaces, in version 8.3+ i dont need to add anything, just leave it as is and it would work just fine! did i get u right?

Thanks for the info again!


Soroush.

Hope it Helps, Soroush.
Super Bronze

Old NAT to Version 8.4(2), Yelp!!!

Hi,

In general if you had a setup where the firewall was ONLY doing access control and NAT was not required at all then you could leave the ASA in the new software wihtout any NAT configurations.

But usually the situation is that there is some NAT configurations that need to be applied as firewalls are typically at the edge of the internal and external network.

I tend to first go through the entire NAT configuration and operation of the firewall that is about to be migrated. Then I build the new NAT rules on the basis of that.

Usually I first convert the Dynamic PAT/NAT and Static NAT/PAT rules and leave the special Policy NAT or NAT0 configurations last.

I am very hesitant to say that I am 100% sure the above configurations would handle your situation BUT it looks to me that it should do the same. As I said, I would rather be as specific as I can when building the NAT rules and avoid using "any" in the NAT configurations just to avoid any possible suprises with the NAT operation.

- Jouni

Gold

Re: Old NAT to Version 8.4(2), Yelp!!!

Hi,

since there is nothing NAT specific in the old ios configuration. i guess its safe to go by the any any config.

its just the nat-control and a bunch of nat (vlanX) 0 access-list ... config. thats all

thanks for ur elaboration Jouni.

Soroush.

Hope it Helps, Soroush.
Super Bronze

Old NAT to Version 8.4(2), Yelp!!!

So it seems that the current firewall configuration has "nat-control" which basically means that there needs to be some NAT configuration for traffic passing the firewall.

Since all the NAT configurations are NAT0, it would seem that you might be able to leave out all NAT configurations from the new software version.

Please do remember to mark a reply as the correct answer if it answered your question and/or rate helpfull answers.

Feel free to ask more if needed

- Jouni

245
Views
8
Helpful
7
Replies