Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

New Member

Quick question re: migration of nat exemption from asa pre-8.2 to post-8.2

I am going through http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.pdf and I have a question about nat exemption.  According to the guide above, the migration of nat exemption will look like this:

-----

access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound
-----
object network obj-vLan201
subnet vLan201 255.255.255.0

object network obj-172.19.252.0
subnet 172.19.252.0 255.255.255.0

nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0

-----

My question is this: if acl inside_nat0_outbound has multiple ACEs, does the migrated configuration contain a separate "nat (inside,any)" statement for each ACE in the original pre-8.3 config, like this?

-----

access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.253.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

-----

object network obj-vLan201

subnet vLan201 255.255.255.0

object network obj-172.19.252.0
subnet 172.19.252.0 255.255.255.0

object network obj-172.19.253.0
subnet 172.19.253.0 255.255.255.0

nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0

nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.253.0 obj-172.19.253.0

-----

Our current acl has about twenty entries, which would make for twenty nat statements, if this is right.

Thanks,

-Mathew

1 REPLY
Super Bronze

Quick question re: migration of nat exemption from asa pre-8.2 t

Hi,

Default behaviour for NAT past 8.2 software level is to let traffic flow through the ASA without NAT. Before that "nat-control" setting on the ASA defined if the traffic needed a NAT configuration or not.

If your NAT0 / NAT Exempt configurations contain statements meant for VPN connections then you have to make new ones for those.

Are the entries in your old NAT0 configurations meant for traffic between different networks in your own LAN or are they meant for different VPN connections? Or perhaps both.

But as you said, moving to the new software does mean that even some simple NAT configuration will now contain more configurations than in the old software.

- Jouni

529
Views
0
Helpful
1
Replies
CreatePlease to create content