• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1979
  • Last Modified:

cisco ASA - static nat - ver 7.2 to ver 8.3

On a cisco ASA 5505 ... with version IOS 8.3  ... how do I do the smae acl and nat translations as the following, which are used in a ver 7.2 config?



interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.222.111.222 255.255.255.252

access-list inbound extended permit tcp 77.77.77.0 255.255.255.0 host 111.222.111.222 eq 3389
access-list inbound extended permit tcp any host 111.222.111.222  eq ssh
access-list inbound extended permit tcp any host 111.222.111.222 eq ftp
access-list inbound extended permit tcp any host 111.222.111.222 eq ftp-data

static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ssh 192.168.1.5 ssh netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.5 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.5 ftp-data netmask 255.255.255.255

access-group inbound in interface outside

0
dmfcvi
Asked:
dmfcvi
  • 5
  • 2
1 Solution
 
thunderheadCommented:
we tried 8.3 but quickly reverted back due to the changes in NAT, especially as adding one nat entry i.e the 3389 line would be over written by the ssh line

but an example would be:

network object hostname
host 192.168.1.5
nat (inside,outside) static 192.168.1.5 service tcp ftp ftp

It got very frustrating, so we stuck with the 7x version.
0
 
dmfcviAuthor Commented:
I agree with the frustration, but I need to get this working without downgrading the IOS ..

0
 
thunderheadCommented:
Have a look here, its a good doc:
https://supportforums.cisco.com/docs/DOC-9129
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
dmfcviAuthor Commented:
But I havent seen any example of how to get around the multiple NATs ... ike you said in your first post ..
"we tried 8.3 but quickly reverted back due to the changes in NAT, especially as adding one nat entry i.e the 3389 line would be over written by the ssh line"

0
 
thunderheadCommented:
I don't think Cisco have fixed that "small" issue yet.

I easily spent a day or more going through our exisiting config, rewriting it as it "should" be for 8.3, and trying it, only to get half way through entering it all to find that it only supports one entry.

Cisco's option was (I think) after spending a long time on the phone to them was, to put in multiple host entries:

network object hostname
host 192.168.1.5
nat (inside,outside) static 192.168.1.5 service tcp ftp ftp

network object hostname2
host 192.168.1.5
nat (inside,outside) static hostname2service tcp ssh ssh

For your example above you'll end up with 4 host objects.

Personally i think that this "simplification" - as Cisco phrase it - actually leads to a much messier config than the same result in 7.x

Try it with two network object entries and see how it gets on.
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now