Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX nat to ASA nat question

How do I convert my old Cisco PIX nat statement to the Cisco ASA 9.1 code?

Original NAT statement:

global (outside) 71 1.1.1.1
nat (inside) 71 access-list ACL-inbound 0 0

access-list ACL-inbound permit ip host 192.168.1.1 any 

 

 

  • WAN Routing and Switching
2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

You are having a policy-NAT

You are having a policy-NAT config with an ACL that has a destination of "any". So you could write that statement also as 

global (outside) 71 1.1.1.1

nat (inside) 71 192.168.1.1 255.255.255.255

That's a dynamic NAT-translation that can be configured in two ways in the new code:

With Auto/Object-NAT:

object network HOST
  host 192.168.1.1
  nat (inside,outside) dynamic 1.1.1.1

 

With manual-NAT:

object network HOST
  host 192.168.1.1
object network HOST-NAT
  host 1.1.1.1

nat (inside,outside) source dynamic HOST HOST-NAT

 

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
VIP Purple

You have to split that as you

You have to split that as you have two different needs:

  • Normal NAT

That can be configured as the above mentioned manual-NAT where you also can use an object-group instead of an object. The third ACL-line is probably a typo?

object-group network NAT1
  network-object 192.168.1.1
  network-object 192.168.2.0 255.255.255.0
!
nat (inside,outside) source dynamic NAT1 HOST-NAT

  • Policy NAT

For that you also have to configure manual NAT as you need to specify the destination. Here the destination in not changed:

object network HOST1
  host 192.168.1.2
object network DEST-HOST
  host 169.0.0.1
!
nat (inside,outside1) source dynamic HOST1 HOST-NAT destination static DEST-HOST DEST-HOST

 

BTW: This is more a Security-Firewalling topic. You should move it to the right area of the forum.

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
6 REPLIES
VIP Purple

take a look at the following

take a look at the following examples:

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

I did looked at that prior to

I did looked at that prior to posting this, but it didn't have exactly what i was looking for and i was also looking for a little bit of detail and explanation on how and why it works with the new code.

VIP Purple

You are having a policy-NAT

You are having a policy-NAT config with an ACL that has a destination of "any". So you could write that statement also as 

global (outside) 71 1.1.1.1

nat (inside) 71 192.168.1.1 255.255.255.255

That's a dynamic NAT-translation that can be configured in two ways in the new code:

With Auto/Object-NAT:

object network HOST
  host 192.168.1.1
  nat (inside,outside) dynamic 1.1.1.1

 

With manual-NAT:

object network HOST
  host 192.168.1.1
object network HOST-NAT
  host 1.1.1.1

nat (inside,outside) source dynamic HOST HOST-NAT

 

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Perfect!!!Thank you

Perfect!!!

Thank you

New Member

What if i were to have this..

What if i were to have this.......

global (outside) 71 1.1.1.1
nat (inside) 71 access-list ACL-inbound 0 0

access-list ACL-inbound permit ip host 192.168.1.1 any 
access-list ACL-inbound permit ip host 192.168.1.2 host 169.0.0.1 
access-list ACL-inbound permit ip 192.168.1.1 255.255.255.0 any 

VIP Purple

You have to split that as you

You have to split that as you have two different needs:

  • Normal NAT

That can be configured as the above mentioned manual-NAT where you also can use an object-group instead of an object. The third ACL-line is probably a typo?

object-group network NAT1
  network-object 192.168.1.1
  network-object 192.168.2.0 255.255.255.0
!
nat (inside,outside) source dynamic NAT1 HOST-NAT

  • Policy NAT

For that you also have to configure manual NAT as you need to specify the destination. Here the destination in not changed:

object network HOST1
  host 192.168.1.2
object network DEST-HOST
  host 169.0.0.1
!
nat (inside,outside1) source dynamic HOST1 HOST-NAT destination static DEST-HOST DEST-HOST

 

BTW: This is more a Security-Firewalling topic. You should move it to the right area of the forum.

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
46
Views
0
Helpful
6
Replies