Solved

cisco ASA  - static nat - ver 7.2 to ver 8.3

Posted on 2010-11-11
7
1,899 Views
Last Modified: 2012-05-10
On a cisco ASA 5505 ... with version IOS 8.3  ... how do I do the smae acl and nat translations as the following, which are used in a ver 7.2 config?



interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.222.111.222 255.255.255.252

access-list inbound extended permit tcp 77.77.77.0 255.255.255.0 host 111.222.111.222 eq 3389
access-list inbound extended permit tcp any host 111.222.111.222  eq ssh
access-list inbound extended permit tcp any host 111.222.111.222 eq ftp
access-list inbound extended permit tcp any host 111.222.111.222 eq ftp-data

static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ssh 192.168.1.5 ssh netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.5 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.5 ftp-data netmask 255.255.255.255

access-group inbound in interface outside

0
Comment
Question by:dmfcvi
  • 5
  • 2
7 Comments
 
LVL 4

Expert Comment

by:thunderhead
ID: 34119544
we tried 8.3 but quickly reverted back due to the changes in NAT, especially as adding one nat entry i.e the 3389 line would be over written by the ssh line

but an example would be:

network object hostname
host 192.168.1.5
nat (inside,outside) static 192.168.1.5 service tcp ftp ftp

It got very frustrating, so we stuck with the 7x version.
0
 

Author Comment

by:dmfcvi
ID: 34120684
I agree with the frustration, but I need to get this working without downgrading the IOS ..

0
 
LVL 4

Expert Comment

by:thunderhead
ID: 34120874
Have a look here, its a good doc:
https://supportforums.cisco.com/docs/DOC-9129
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Expert Comment

by:thunderhead
ID: 34120886
0
 

Author Comment

by:dmfcvi
ID: 34121107
But I havent seen any example of how to get around the multiple NATs ... ike you said in your first post ..
"we tried 8.3 but quickly reverted back due to the changes in NAT, especially as adding one nat entry i.e the 3389 line would be over written by the ssh line"

0
 
LVL 4

Accepted Solution

by:
thunderhead earned 500 total points
ID: 34121169
I don't think Cisco have fixed that "small" issue yet.

I easily spent a day or more going through our exisiting config, rewriting it as it "should" be for 8.3, and trying it, only to get half way through entering it all to find that it only supports one entry.

Cisco's option was (I think) after spending a long time on the phone to them was, to put in multiple host entries:

network object hostname
host 192.168.1.5
nat (inside,outside) static 192.168.1.5 service tcp ftp ftp

network object hostname2
host 192.168.1.5
nat (inside,outside) static hostname2service tcp ssh ssh

For your example above you'll end up with 4 host objects.

Personally i think that this "simplification" - as Cisco phrase it - actually leads to a much messier config than the same result in 7.x

Try it with two network object entries and see how it gets on.
0
 
LVL 4

Expert Comment

by:thunderhead
ID: 34121215
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Not able to route between subnets 8 103
Cisco ASDM migration 2 18
Where do I upload the internet on a cisco catalyst 2960 poe 7 36
Turn off SIP ALG - Cisco ASA 5505 1 28
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now