dmfcvi
asked on
cisco ASA - static nat - ver 7.2 to ver 8.3
On a cisco ASA 5505 ... with version IOS 8.3 ... how do I do the smae acl and nat translations as the following, which are used in a ver 7.2 config?
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 111.222.111.222 255.255.255.252
access-list inbound extended permit tcp 77.77.77.0 255.255.255.0 host 111.222.111.222 eq 3389
access-list inbound extended permit tcp any host 111.222.111.222 eq ssh
access-list inbound extended permit tcp any host 111.222.111.222 eq ftp
access-list inbound extended permit tcp any host 111.222.111.222 eq ftp-data
static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ssh 192.168.1.5 ssh netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.5 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.5 ftp-data netmask 255.255.255.255
access-group inbound in interface outside
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 111.222.111.222 255.255.255.252
access-list inbound extended permit tcp 77.77.77.0 255.255.255.0 host 111.222.111.222 eq 3389
access-list inbound extended permit tcp any host 111.222.111.222 eq ssh
access-list inbound extended permit tcp any host 111.222.111.222 eq ftp
access-list inbound extended permit tcp any host 111.222.111.222 eq ftp-data
static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ssh 192.168.1.5 ssh netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.5 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.5 ftp-data netmask 255.255.255.255
access-group inbound in interface outside
ASKER
I agree with the frustration, but I need to get this working without downgrading the IOS ..
Have a look here, its a good doc:
https://supportforums.cisco.com/docs/DOC-9129
https://supportforums.cisco.com/docs/DOC-9129
this is a bit better;
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968
ASKER
But I havent seen any example of how to get around the multiple NATs ... ike you said in your first post ..
"we tried 8.3 but quickly reverted back due to the changes in NAT, especially as adding one nat entry i.e the 3389 line would be over written by the ssh line"
"we tried 8.3 but quickly reverted back due to the changes in NAT, especially as adding one nat entry i.e the 3389 line would be over written by the ssh line"
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
but an example would be:
network object hostname
host 192.168.1.5
nat (inside,outside) static 192.168.1.5 service tcp ftp ftp
It got very frustrating, so we stuck with the 7x version.