Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
514
Views
0
Helpful
3
Replies

Question on NAT after Upgrade to 8.3 & 8.4 from 8.2

andrewgarlick
Level 1
Level 1

‎06-21-2011 11:30 AM - edited ‎03-11-2019 01:48 PM

Hi, I have been given the task to upgrade the ASA from 8.04 and 6.1 to the latest and greates versions.

But I read that NAT has changed in 8.3 onwards - below is my part of my current setup, how would the syntax work once I upgrade

Thanks for any help

access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list from-outside extended permit icmp any any

access-list from-outside extended permit gre any any

access-list from-outside extended permit udp any any eq isakmp

access-list from-outside extended permit esp any any

access-list from-outside extended permit ah any any

access-list from-outside extended permit tcp any any eq 500

access-list from-outside extended permit tcp any any eq 4500

access-list from-outside extended permit udp any any eq 4500

access-list from-outside extended permit udp any any eq 1701

access-list from-outside extended permit tcp any any eq 47

access-list DefaultRAGroup_SPLIT standard permit 192.168.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list no-nat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group from-outside in interface outside

Labels:
0 Helpful
3 Replies 3

varrao
Level 10
Level 10

‎06-21-2011 11:38 AM

Hi Andy,

Well yes the NAT and ACL have gone through a change post 8.3 on ASA, in your particular case, there would not be any change in the ACL, since you are using any any in them. But yes, NAT syntax would change, sometrhing like this:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

this would change to:

object network any_0.0.0.0

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface.

The logic remains the same , but just the synatx has changed.

for more details, kindly go through the Config guide below:

http://www.cisco.com/en/US/customer/docs/security/asa/asa83/configuration/guide/config.html

Hope this helps,

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

andrewgarlick
Level 1
Level 1
In response to varrao

‎06-21-2011 11:45 AM

Thanks for the quick reply, so my questions are this

What happens to these 2 lines

access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list DefaultRAGroup_SPLIT standard permit 192.168.1.0 255.255.255.0

Also what do I do with the nat-control line do I remove.


Sorry

0 Helpful

varrao
Level 10
Level 10
In response to andrewgarlick

‎06-21-2011 11:55 AM

Hi Andy,

There would be no change in the ACL's at all, in version 8.3 or above, earlier where in you used teh public ip address, to allow access, in 8.3 instead of the public ip you use the real ip of the host machine.

Let me explian with an example:

in pre 8.3, you had

static (inside,outside) 1.1.1.1 10.1.1.1

access-list out_in permit ip any host 1.1.1.1

but post 8.3, it would be:

object network public_ip

host 1.1.1.1

object network private_ip

host 10.1.1.1

nat (inside,outside) static public_ip

access-list out_in permit ip any host 10.1.1.1

In pre 8.3, for incoming traffic, first access-list was checked by the ASA and then the un-nat rule, but post 8.3 it has become, first un-nat  and then the access-list.

In post 8.3, there is no concept of nat-control left, you need not specify anything.

Here is another very good link:

https://supportforums.cisco.com/docs/DOC-12690

Hope it answers all your queries.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card