Solved

cisco ASA  - static nat - ver 7.2 to ver 8.3

Posted on 2010-11-11
7
1,879 Views
Last Modified: 2012-05-10
On a cisco ASA 5505 ... with version IOS 8.3  ... how do I do the smae acl and nat translations as the following, which are used in a ver 7.2 config?



interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.222.111.222 255.255.255.252

access-list inbound extended permit tcp 77.77.77.0 255.255.255.0 host 111.222.111.222 eq 3389
access-list inbound extended permit tcp any host 111.222.111.222  eq ssh
access-list inbound extended permit tcp any host 111.222.111.222 eq ftp
access-list inbound extended permit tcp any host 111.222.111.222 eq ftp-data

static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ssh 192.168.1.5 ssh netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.5 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.5 ftp-data netmask 255.255.255.255

access-group inbound in interface outside

0
Comment
Question by:dmfcvi
  • 5
  • 2
7 Comments
 
LVL 4

Expert Comment

by:thunderhead
ID: 34119544
we tried 8.3 but quickly reverted back due to the changes in NAT, especially as adding one nat entry i.e the 3389 line would be over written by the ssh line

but an example would be:

network object hostname
host 192.168.1.5
nat (inside,outside) static 192.168.1.5 service tcp ftp ftp

It got very frustrating, so we stuck with the 7x version.
0
 

Author Comment

by:dmfcvi
ID: 34120684
I agree with the frustration, but I need to get this working without downgrading the IOS ..

0
 
LVL 4

Expert Comment

by:thunderhead
ID: 34120874
Have a look here, its a good doc:
https://supportforums.cisco.com/docs/DOC-9129
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Expert Comment

by:thunderhead
ID: 34120886
0
 

Author Comment

by:dmfcvi
ID: 34121107
But I havent seen any example of how to get around the multiple NATs ... ike you said in your first post ..
"we tried 8.3 but quickly reverted back due to the changes in NAT, especially as adding one nat entry i.e the 3389 line would be over written by the ssh line"

0
 
LVL 4

Accepted Solution

by:
thunderhead earned 500 total points
ID: 34121169
I don't think Cisco have fixed that "small" issue yet.

I easily spent a day or more going through our exisiting config, rewriting it as it "should" be for 8.3, and trying it, only to get half way through entering it all to find that it only supports one entry.

Cisco's option was (I think) after spending a long time on the phone to them was, to put in multiple host entries:

network object hostname
host 192.168.1.5
nat (inside,outside) static 192.168.1.5 service tcp ftp ftp

network object hostname2
host 192.168.1.5
nat (inside,outside) static hostname2service tcp ssh ssh

For your example above you'll end up with 4 host objects.

Personally i think that this "simplification" - as Cisco phrase it - actually leads to a much messier config than the same result in 7.x

Try it with two network object entries and see how it gets on.
0
 
LVL 4

Expert Comment

by:thunderhead
ID: 34121215
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now