Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

cisco ASA  - static nat - ver 7.2 to ver 8.3

Posted on 2010-11-11
7
Medium Priority
?
1,964 Views
Last Modified: 2012-05-10
On a cisco ASA 5505 ... with version IOS 8.3  ... how do I do the smae acl and nat translations as the following, which are used in a ver 7.2 config?



interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.222.111.222 255.255.255.252

access-list inbound extended permit tcp 77.77.77.0 255.255.255.0 host 111.222.111.222 eq 3389
access-list inbound extended permit tcp any host 111.222.111.222  eq ssh
access-list inbound extended permit tcp any host 111.222.111.222 eq ftp
access-list inbound extended permit tcp any host 111.222.111.222 eq ftp-data

static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ssh 192.168.1.5 ssh netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.5 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.5 ftp-data netmask 255.255.255.255

access-group inbound in interface outside

0
Comment
Question by:dmfcvi
  • 5
  • 2
7 Comments
 
LVL 4

Expert Comment

by:thunderhead
ID: 34119544
we tried 8.3 but quickly reverted back due to the changes in NAT, especially as adding one nat entry i.e the 3389 line would be over written by the ssh line

but an example would be:

network object hostname
host 192.168.1.5
nat (inside,outside) static 192.168.1.5 service tcp ftp ftp

It got very frustrating, so we stuck with the 7x version.
0
 

Author Comment

by:dmfcvi
ID: 34120684
I agree with the frustration, but I need to get this working without downgrading the IOS ..

0
 
LVL 4

Expert Comment

by:thunderhead
ID: 34120874
Have a look here, its a good doc:
https://supportforums.cisco.com/docs/DOC-9129
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:thunderhead
ID: 34120886
0
 

Author Comment

by:dmfcvi
ID: 34121107
But I havent seen any example of how to get around the multiple NATs ... ike you said in your first post ..
"we tried 8.3 but quickly reverted back due to the changes in NAT, especially as adding one nat entry i.e the 3389 line would be over written by the ssh line"

0
 
LVL 4

Accepted Solution

by:
thunderhead earned 2000 total points
ID: 34121169
I don't think Cisco have fixed that "small" issue yet.

I easily spent a day or more going through our exisiting config, rewriting it as it "should" be for 8.3, and trying it, only to get half way through entering it all to find that it only supports one entry.

Cisco's option was (I think) after spending a long time on the phone to them was, to put in multiple host entries:

network object hostname
host 192.168.1.5
nat (inside,outside) static 192.168.1.5 service tcp ftp ftp

network object hostname2
host 192.168.1.5
nat (inside,outside) static hostname2service tcp ssh ssh

For your example above you'll end up with 4 host objects.

Personally i think that this "simplification" - as Cisco phrase it - actually leads to a much messier config than the same result in 7.x

Try it with two network object entries and see how it gets on.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question