conversion of nat from asa8.2 to asa8.3

I've upgraded my ASA5510 from version 8.2 to 8.3. I've noticed a big difference in the natting. When the conversion was done from the upgrade, a lot of the network objects where repeated. Can I use a single network object for the network object that is the same? There are multiple lines for a single network object and during the conversion it added -01, -02,etc. But it's the same network object.

Ex:

object network obj-192.168.0.112-07
 host 192.168.0.112
object network obj-192.168.0.112-08
 host 192.168.0.112
object network obj-192.168.0.112-09
 host 192.168.0.112
object network obj-192.168.0.112-10
 host 192.168.0.112
object network obj-192.168.0.112-11
 host 192.168.0.112
object network obj-192.168.0.112-12
 host 192.168.0.112
object network obj-192.168.0.112-13
 host 192.168.0.112

Can't I eliminate all of these lines for just

object network obj-192.168.0.112
 host 192.168.0.112

then use that same object for the rest of the nat statement

 so instead of this:

object network obj-192.168.0.112-01
 nat (inside,outsidet) static 209.91.162.153 service tcp ssh ssh
object network obj-192.168.0.112-02
 nat (inside,outside) static 209.91.162.153 service tcp 49924 49924
object network obj-192.168.0.112-03
 nat (inside,outside) static 209.91.162.153 service tcp 49925 49925

do this:

object network obj-192.168.0.112 nat (inside,outside) static 209.91.162.153 service tcp ssh ssh
object network obj-192.168.0.112 nat (inside,outside) static 209.91.162.153 service tcp 49924 49924
object network obj-192.168.0.112 nat (inside,outside) static 209.91.162.153 service tcp 49925 49925
 
I want to clean up the config.  The conversion added 2.5 extra pages !!
samashcamAsked:
Who is Participating?
 
Ernie BeekExpertCommented:
If you are using a 1 to 1 NAT you could even more simplify it:

object network obj-209.91.162.153
  host 209.91.162.153
object network PublicServer_NAT1
  host 192.168.0.112
  nat (inside,outside) obj-209.91.162.153
access-list outside_access_in line 1 extended permit tcp any host 192.168.0.112 eq 49924
access-list outside_access_in line 2 extended permit tcp any host 192.168.0.112 eq 49925

etc
0
 
samashcamAuthor Commented:
Sorry the second part should read like this:

object network obj-192.168.0.112
 nat (inside,Vianet) static 209.91.162.153 service tcp ssh ssh
object network obj-192.168.0.112
 nat (inside,Vianet) static 209.91.162.153 service tcp 49924 49924
object network obj-192.168.0.112
 nat (inside,Vianet) static 209.91.162.153 service tcp 49925 49925
0
 
Ernie BeekExpertCommented:
Oh, and yes you can do that cleanup. Off course you have to watch carefully which names are you in what place.
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
Ernie BeekExpertCommented:
You might find this interesting (if you hadn't found it allready): http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968
0
 
samashcamAuthor Commented:
Humm, I see how it's done now.. Brain still stuck the old way..lol.. It's almost turned into programming instead of just configuring a line for what you want.

Thx a bunch for the lesson!
0
 
Ernie BeekExpertCommented:
You're welcome:)
And Thx for the points.
0
 
samashcamAuthor Commented:
What if they aren't all 1 to 1 NAT?

Do I have to configure them differently?

ex:

static (inside,outside) tcp interface 5500 192.168.0.1 5500 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.250 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.0.121 3390 netmask 255.255.255.255
0
 
Ernie BeekExpertCommented:
Then you should do it on a per (inside) host base:

object network obj-192.168.0.1
host 192.168.0.1
nat (inside,outside) static interface service tcp 5500 5500

object network obj-192.168.0.121
host 192.168.0.121
nat (inside,outside) static interface service tcp 3390 3390

object network obj-192.168.0.250
host 192.168.0.250
nat (inside,outside) static interface service tcp 3389 3389
0
 
samashcamAuthor Commented:
Thanks again. Is there anything I should watch for the cutover? This is a live environment and ! was given a 10 min window to resolve anything! No test environment.
0
 
Ernie BeekExpertCommented:
Two things:
Use clear xlate after you made the changes.
Don't write to memory untill you are sure it works. If it doesn't, then you just have to reload to restore the previous config.

Well ok, three things: first make a backup of the configuration!
0
 
samashcamAuthor Commented:
Thanks again for your help! I've never had issues with upgrading a code before but last time I upgraded the two firewallls that were in failover to the 8.3 code, everything went to hell in a 747! A little leary about doing this again! lol
0
 
Ernie BeekExpertCommented:
You're welcome (again ;)

And good luck!
0
 
samashcamAuthor Commented:
One other thing..sorry , a little paranoid ;)  if I have two inside ips natted to one outside ip, is this what it should look like in the config?

object network obj-192.168.0.112-01
 host 192.168.0.112
object network obj-192.168.0.112-02
 host 192.168.0.112
object network obj-192.168.0.184-01
 host 192.168.0.184
object network obj-192.168.0.184-02
 host 192.168.0.184

object network obj-192.168.0.112-01
 nat (inside,outsidet) static 209.91.162.153 service tcp ssh ssh
object network obj-192.168.0.112-02
 nat (inside,outside) static 209.91.162.153 service tcp 49924 49924
object network obj-192.168.0.184-01
 nat (inside,Vianet) static 209.91.162.153 service tcp https https
object network obj-192.168.0.184-02
 nat (inside,Vianet) static 209.91.162.153 service tcp www www
0
 
Ernie BeekExpertCommented:
I am afraid so :-~
0
 
samashcamAuthor Commented:
Thanks erniebeek!  Really appreciate it! Guys like you make this membership soooo valuable!
0
 
Ernie BeekExpertCommented:
Oh stop it!

You're making me blush. :))
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.