Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2011
  • Last Modified:

cisco ASA - static nat - ver 7.2 to ver 8.3

On a cisco ASA 5505 ... with version IOS 8.3  ... how do I do the smae acl and nat translations as the following, which are used in a ver 7.2 config?



interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.222.111.222 255.255.255.252

access-list inbound extended permit tcp 77.77.77.0 255.255.255.0 host 111.222.111.222 eq 3389
access-list inbound extended permit tcp any host 111.222.111.222  eq ssh
access-list inbound extended permit tcp any host 111.222.111.222 eq ftp
access-list inbound extended permit tcp any host 111.222.111.222 eq ftp-data

static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ssh 192.168.1.5 ssh netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.5 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.5 ftp-data netmask 255.255.255.255

access-group inbound in interface outside

0
dmfcvi
Asked:
dmfcvi
  • 5
  • 2
1 Solution
 
thunderheadCommented:
we tried 8.3 but quickly reverted back due to the changes in NAT, especially as adding one nat entry i.e the 3389 line would be over written by the ssh line

but an example would be:

network object hostname
host 192.168.1.5
nat (inside,outside) static 192.168.1.5 service tcp ftp ftp

It got very frustrating, so we stuck with the 7x version.
0
 
dmfcviAuthor Commented:
I agree with the frustration, but I need to get this working without downgrading the IOS ..

0
 
thunderheadCommented:
Have a look here, its a good doc:
https://supportforums.cisco.com/docs/DOC-9129
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
dmfcviAuthor Commented:
But I havent seen any example of how to get around the multiple NATs ... ike you said in your first post ..
"we tried 8.3 but quickly reverted back due to the changes in NAT, especially as adding one nat entry i.e the 3389 line would be over written by the ssh line"

0
 
thunderheadCommented:
I don't think Cisco have fixed that "small" issue yet.

I easily spent a day or more going through our exisiting config, rewriting it as it "should" be for 8.3, and trying it, only to get half way through entering it all to find that it only supports one entry.

Cisco's option was (I think) after spending a long time on the phone to them was, to put in multiple host entries:

network object hostname
host 192.168.1.5
nat (inside,outside) static 192.168.1.5 service tcp ftp ftp

network object hostname2
host 192.168.1.5
nat (inside,outside) static hostname2service tcp ssh ssh

For your example above you'll end up with 4 host objects.

Personally i think that this "simplification" - as Cisco phrase it - actually leads to a much messier config than the same result in 7.x

Try it with two network object entries and see how it gets on.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now