• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 936
  • Last Modified:

conversion of nat from asa8.2 to asa8.3

I've upgraded my ASA5510 from version 8.2 to 8.3. I've noticed a big difference in the natting. When the conversion was done from the upgrade, a lot of the network objects where repeated. Can I use a single network object for the network object that is the same? There are multiple lines for a single network object and during the conversion it added -01, -02,etc. But it's the same network object.

Ex:

object network obj-192.168.0.112-07
 host 192.168.0.112
object network obj-192.168.0.112-08
 host 192.168.0.112
object network obj-192.168.0.112-09
 host 192.168.0.112
object network obj-192.168.0.112-10
 host 192.168.0.112
object network obj-192.168.0.112-11
 host 192.168.0.112
object network obj-192.168.0.112-12
 host 192.168.0.112
object network obj-192.168.0.112-13
 host 192.168.0.112

Can't I eliminate all of these lines for just

object network obj-192.168.0.112
 host 192.168.0.112

then use that same object for the rest of the nat statement

 so instead of this:

object network obj-192.168.0.112-01
 nat (inside,outsidet) static 209.91.162.153 service tcp ssh ssh
object network obj-192.168.0.112-02
 nat (inside,outside) static 209.91.162.153 service tcp 49924 49924
object network obj-192.168.0.112-03
 nat (inside,outside) static 209.91.162.153 service tcp 49925 49925

do this:

object network obj-192.168.0.112 nat (inside,outside) static 209.91.162.153 service tcp ssh ssh
object network obj-192.168.0.112 nat (inside,outside) static 209.91.162.153 service tcp 49924 49924
object network obj-192.168.0.112 nat (inside,outside) static 209.91.162.153 service tcp 49925 49925
 
I want to clean up the config.  The conversion added 2.5 extra pages !!
0
samashcam
Asked:
samashcam
  • 9
  • 7
1 Solution
 
samashcamAuthor Commented:
Sorry the second part should read like this:

object network obj-192.168.0.112
 nat (inside,Vianet) static 209.91.162.153 service tcp ssh ssh
object network obj-192.168.0.112
 nat (inside,Vianet) static 209.91.162.153 service tcp 49924 49924
object network obj-192.168.0.112
 nat (inside,Vianet) static 209.91.162.153 service tcp 49925 49925
0
 
Ernie BeekExpertCommented:
If you are using a 1 to 1 NAT you could even more simplify it:

object network obj-209.91.162.153
  host 209.91.162.153
object network PublicServer_NAT1
  host 192.168.0.112
  nat (inside,outside) obj-209.91.162.153
access-list outside_access_in line 1 extended permit tcp any host 192.168.0.112 eq 49924
access-list outside_access_in line 2 extended permit tcp any host 192.168.0.112 eq 49925

etc
0
 
Ernie BeekExpertCommented:
Oh, and yes you can do that cleanup. Off course you have to watch carefully which names are you in what place.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
Ernie BeekExpertCommented:
You might find this interesting (if you hadn't found it allready): http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968
0
 
samashcamAuthor Commented:
Humm, I see how it's done now.. Brain still stuck the old way..lol.. It's almost turned into programming instead of just configuring a line for what you want.

Thx a bunch for the lesson!
0
 
Ernie BeekExpertCommented:
You're welcome:)
And Thx for the points.
0
 
samashcamAuthor Commented:
What if they aren't all 1 to 1 NAT?

Do I have to configure them differently?

ex:

static (inside,outside) tcp interface 5500 192.168.0.1 5500 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.250 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.0.121 3390 netmask 255.255.255.255
0
 
Ernie BeekExpertCommented:
Then you should do it on a per (inside) host base:

object network obj-192.168.0.1
host 192.168.0.1
nat (inside,outside) static interface service tcp 5500 5500

object network obj-192.168.0.121
host 192.168.0.121
nat (inside,outside) static interface service tcp 3390 3390

object network obj-192.168.0.250
host 192.168.0.250
nat (inside,outside) static interface service tcp 3389 3389
0
 
samashcamAuthor Commented:
Thanks again. Is there anything I should watch for the cutover? This is a live environment and ! was given a 10 min window to resolve anything! No test environment.
0
 
Ernie BeekExpertCommented:
Two things:
Use clear xlate after you made the changes.
Don't write to memory untill you are sure it works. If it doesn't, then you just have to reload to restore the previous config.

Well ok, three things: first make a backup of the configuration!
0
 
samashcamAuthor Commented:
Thanks again for your help! I've never had issues with upgrading a code before but last time I upgraded the two firewallls that were in failover to the 8.3 code, everything went to hell in a 747! A little leary about doing this again! lol
0
 
Ernie BeekExpertCommented:
You're welcome (again ;)

And good luck!
0
 
samashcamAuthor Commented:
One other thing..sorry , a little paranoid ;)  if I have two inside ips natted to one outside ip, is this what it should look like in the config?

object network obj-192.168.0.112-01
 host 192.168.0.112
object network obj-192.168.0.112-02
 host 192.168.0.112
object network obj-192.168.0.184-01
 host 192.168.0.184
object network obj-192.168.0.184-02
 host 192.168.0.184

object network obj-192.168.0.112-01
 nat (inside,outsidet) static 209.91.162.153 service tcp ssh ssh
object network obj-192.168.0.112-02
 nat (inside,outside) static 209.91.162.153 service tcp 49924 49924
object network obj-192.168.0.184-01
 nat (inside,Vianet) static 209.91.162.153 service tcp https https
object network obj-192.168.0.184-02
 nat (inside,Vianet) static 209.91.162.153 service tcp www www
0
 
Ernie BeekExpertCommented:
I am afraid so :-~
0
 
samashcamAuthor Commented:
Thanks erniebeek!  Really appreciate it! Guys like you make this membership soooo valuable!
0
 
Ernie BeekExpertCommented:
Oh stop it!

You're making me blush. :))
0

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

  • 9
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now