11-26-2013 07:37 AM
Hello,
I'm working to configure this ASA and having problems with some commands with IOS version 8.4
the command is static (inside,outside) 192.168.2.0 access-list policy-nat
can you help me with the proper command in version 8.4 for the one listed above will not work.
Thank you
Solved! Go to Solution.
11-26-2013 11:15 AM
Ok,
Let me know how it goes when you've had the chance to try out the lab setup
- Jouni
11-26-2013 07:59 AM
Hi Stephen,
The needed new configuration depends on the contents of the "access-list"
So we would need the output of
show access-list policy-nat
If the access-list was this for example
access-list policy-nat permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0
static (inside,outside) 192.168.2.0 access-list policy-nat
Then the new configuration would be
object network LAN
subnet 192.168.100.0 255.255.255.0
object network LAN-NATED
subnet 192.168.2.0 255.255.255.0
object network REMOTE-LAN
subnet 10.10.10.0 255.255.255.0
nat (inside,outside) source static LAN LAN-NATED destination static REMOTE-LAN REMOTE-LAN
Naturally the naming policy of the "object" will probably be different depending on your needs and the actual setup that this configuration applies to. Also, if the "access-list" contains mentions of "tcp" / "udp" and their ports then the configuration would look different.
To show you the exact configuration we would need to see the "access-list" contents.
Hope this helps
- Jouni
11-26-2013 08:09 AM
Hello Jouni,
Thank you for sending me the link Saturday night for Pix/ASA 7.x and Later:LAN-to-LAN IPSec VPN with Overlapping Networks Configuration Example.
The command I sent you came from this document, when we type this command on our ASA 8.4 saying error unrecognized command.
I'm not sure what the commands should be for IOS 8.45-k8 using the access-list or the static nat using this document
Thank you
11-26-2013 08:21 AM
Hmm,
I am not sure if I have sent any link. Must have been someone else since I have been extremely busy at work and have not really had time to read the forums in the past week or so. Or then my memory is starting to fail me
If the example configuration you are referring to is this
access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 static (inside,outside) 192.168.2.0 access-list policy-nat
Then the corresponding 8.3+ version NAT configuration is
object network LAN
subnet 192.168.1.0 255.255.255.0
object network LAN-NATED
subnet 192.168.2.0 255.255.255.0
object network REMOTE-LAN
subnet 192.168.3.0 255.255.255.0
nat (inside,outside) source static LAN LAN-NATED destination static REMOTE-LAN REMOTE-LAN
I presume though that you are not using the exact networks here? If you are then naturally this should apply to your situation. If not, then you should be able to apply the above logica so that fits your purpose.
Otherwise would need to see your actual setup
Hope this helps
- Jouni
11-26-2013 08:29 AM
Jouni,
After checking my e-mail I need to say My Bad, though you sent me this document.
I'm following this document completely to understand the commands, to confirm this works in the Lab before we push into production.
I will go configure the equipment as shown above.
Thank you my friend.
11-26-2013 08:35 AM
Hi,
If you are going to configure 2 ASA firewalls with overlapping LAN networks then remember to also configure a corresponding Static Policy NAT on the other ASA unit. Naturally the configuration for the other unit isnt exactly the same as the above.
For example, lets say that the below configuration is for Site 1
object network LAN
subnet 192.168.1.0 255.255.255.0
object network LAN-NATED
subnet 192.168.2.0 255.255.255.0
object network REMOTE-LAN
subnet 192.168.3.0 255.255.255.0
nat (inside,outside) source static LAN LAN-NATED destination static REMOTE-LAN REMOTE-LAN
It tells the ASA to NAT the LAN network 192.168.1.0/24 to network 192.168.2.0/24 when the destination is 192.168.3.0/24
On the other site you will have to LAN network 192.168.1.0/24 also but you will have to NAT it to something else. To follow the documents example for the other site and change the NAT configuration to the new format then Site 2 would be
object network LAN
subnet 192.168.1.0 255.255.255.0
object network LAN-NATED
subnet 192.168.3.0 255.255.255.0
object network REMOTE-LAN
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) source static LAN LAN-NATED destination static REMOTE-LAN REMOTE-LAN
This would tell the Site 2 ASA to NAT the overlapping network 192.168.1.0/24 to network 192.168.3.0/24 when the destination network is 192.168.2.0/24. And naturally the network 192.168.2.0/24 is the NAT network we just configured at the Site 1 ASA.
Hope this makes sense
- Jouni
11-26-2013 08:52 AM
I would have missed that, until the ASA said you can't do that.
This will really help get this lab configured.
Thank you Jouni, you are the best…
11-26-2013 11:15 AM
Ok,
Let me know how it goes when you've had the chance to try out the lab setup
- Jouni
11-26-2013 11:29 AM
Jouni,
While working with one of the three ASA it would continue to reboot, never locating the Flash image.
Thinking we have a flash issue we erased the Flash - I guess this was a bad idea for we only get the ROMON mode now.
I'm able to tftp the image file to the ASA but after the reboot we try to copy thy image to the Flash and we have no space left.
Not sure what we can do as it seems we have lost everything on the Flash including our license,
Thanks
11-26-2013 12:16 PM
Hi,
To be honest I am not sure what could be done at this point.
I imagine if you have any old "show version" output of the same firewall then you should probably be able to enter that "activation-key" shown at the bottom to the ASA and recover its license on the Flash. I am not 100% sure.
I am not sure if you could get some kind of help from Cisco to get the device to the original state it was in.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide