Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1363
Views
0
Helpful
9
Replies

5505 ASA Commands

Go to solution
Stephen Sisson
Level 1
Level 1

‎11-26-2013 07:37 AM

Hello,

I'm working to configure this ASA and having problems with some commands with IOS version 8.4

the command is static (inside,outside) 192.168.2.0 access-list policy-nat

can you help me with the proper command in version 8.4 for the one listed above will not work.

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Stephen Sisson

‎11-26-2013 11:15 AM

Ok,

Let me know how it goes when you've had the chance to try out the lab setup

- Jouni

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-26-2013 07:59 AM

Hi Stephen,

The needed new configuration depends on the contents of the "access-list"

So we would need the output of

show access-list policy-nat

If the access-list was this for example

access-list policy-nat permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0

static (inside,outside) 192.168.2.0 access-list policy-nat

Then the new configuration would be

object network LAN

subnet 192.168.100.0 255.255.255.0

object network LAN-NATED

subnet 192.168.2.0 255.255.255.0

object network REMOTE-LAN

subnet 10.10.10.0 255.255.255.0

nat (inside,outside) source static LAN LAN-NATED destination static REMOTE-LAN REMOTE-LAN

Naturally the naming policy of the "object" will probably be different depending on your needs and the actual setup that this configuration applies to. Also, if the "access-list" contains mentions of "tcp" / "udp" and their ports then the configuration would look different.

To show you the exact configuration we would need to see the "access-list" contents.

Hope this helps

- Jouni

0 Helpful

Go to solution
Stephen Sisson
Level 1
Level 1
In response to Jouni Forss

‎11-26-2013 08:09 AM

Hello Jouni,

Thank you for sending me the link Saturday night for Pix/ASA 7.x and Later:LAN-to-LAN IPSec VPN with Overlapping Networks Configuration Example.

The command I sent you came from this document, when we type this command on our ASA 8.4 saying error unrecognized command.

I'm not sure what the commands should be for IOS 8.45-k8 using the access-list or the static nat using this document

Thank you

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Stephen Sisson

‎11-26-2013 08:21 AM

Hmm,

I am not sure if I have sent any link. Must have been someone else since I have been extremely busy at work and have not really had time to read the forums in the past week or so. Or then my memory is starting to fail me

If the example configuration you are referring to is this

access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

static (inside,outside) 192.168.2.0  access-list policy-nat

Then the corresponding 8.3+ version NAT configuration is

object network LAN

subnet 192.168.1.0 255.255.255.0

object network LAN-NATED

subnet 192.168.2.0 255.255.255.0

object network REMOTE-LAN

subnet 192.168.3.0 255.255.255.0

nat (inside,outside) source static LAN LAN-NATED destination static REMOTE-LAN REMOTE-LAN

I presume though that you are not using the exact networks here? If you are then naturally this should apply to your situation. If not, then you should be able to apply the above logica so that fits your purpose.

Otherwise would need to see your actual setup

Hope this helps

- Jouni

0 Helpful

Go to solution
Stephen Sisson
Level 1
Level 1
In response to Jouni Forss

‎11-26-2013 08:29 AM

Jouni,

After checking my e-mail I need to say My Bad, though you sent me this document.

I'm following this document completely to understand the commands, to confirm this works in the Lab before we push into production.

I will go configure the equipment as shown above.

Thank you my friend.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Stephen Sisson

‎11-26-2013 08:35 AM

Hi,

If you are going to configure 2 ASA firewalls with overlapping LAN networks then remember to also configure a corresponding Static Policy NAT on the other ASA unit. Naturally the configuration for the other unit isnt exactly the same as the above.

For example, lets say that the below configuration is for Site 1

object network LAN

subnet 192.168.1.0 255.255.255.0

object network LAN-NATED

subnet 192.168.2.0 255.255.255.0

object network REMOTE-LAN

subnet 192.168.3.0 255.255.255.0

nat (inside,outside) source static LAN LAN-NATED destination static REMOTE-LAN REMOTE-LAN

It tells the ASA to NAT the LAN network 192.168.1.0/24 to network 192.168.2.0/24 when the destination is 192.168.3.0/24

On the other site you will have to LAN network 192.168.1.0/24 also but you will have to NAT it to something else. To follow the documents example for the other site and change the NAT configuration to the new format then Site 2 would be

object network LAN

subnet 192.168.1.0 255.255.255.0

object network LAN-NATED

subnet 192.168.3.0 255.255.255.0

object network REMOTE-LAN

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) source static LAN LAN-NATED destination static REMOTE-LAN REMOTE-LAN

This would tell the Site 2 ASA to NAT the overlapping network 192.168.1.0/24 to network 192.168.3.0/24 when the destination network is 192.168.2.0/24. And naturally the network 192.168.2.0/24 is the NAT network we just configured at the Site 1 ASA.

Hope this makes sense

- Jouni

0 Helpful

Go to solution
Stephen Sisson
Level 1
Level 1
In response to Jouni Forss

‎11-26-2013 08:52 AM

I would have missed that, until the ASA said you can't do that.

This will really help get this lab configured.

Thank you Jouni, you are the best…

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Stephen Sisson

‎11-26-2013 11:15 AM

Ok,

Let me know how it goes when you've had the chance to try out the lab setup

- Jouni

0 Helpful

Go to solution
Stephen Sisson
Level 1
Level 1
In response to Jouni Forss

‎11-26-2013 11:29 AM

Jouni,

While working with one of the three ASA it would continue to reboot, never locating the Flash image.

Thinking we have a flash issue we erased the Flash - I guess this was a bad idea for we only get the ROMON mode now.

I'm able to tftp the image file to the ASA but after the reboot we try to copy thy image to the Flash and we have no space left.

Not sure what we can do as it seems we have lost everything on the Flash including our license,

Thanks

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Stephen Sisson

‎11-26-2013 12:16 PM

Hi,

To be honest I am not sure what could be done at this point.

I imagine if you have any old "show version" output of the same firewall then you should probably be able to enter that "activation-key" shown at the bottom to the ASA and recover its license on the Flash. I am not 100% sure.

I am not sure if you could get some kind of help from Cisco to get the device to the original state it was in.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents