Solved

conversion of nat from asa8.2 to asa8.3

Posted on 2011-03-21
16
901 Views
Last Modified: 2012-05-11
I've upgraded my ASA5510 from version 8.2 to 8.3. I've noticed a big difference in the natting. When the conversion was done from the upgrade, a lot of the network objects where repeated. Can I use a single network object for the network object that is the same? There are multiple lines for a single network object and during the conversion it added -01, -02,etc. But it's the same network object.

Ex:

object network obj-192.168.0.112-07
 host 192.168.0.112
object network obj-192.168.0.112-08
 host 192.168.0.112
object network obj-192.168.0.112-09
 host 192.168.0.112
object network obj-192.168.0.112-10
 host 192.168.0.112
object network obj-192.168.0.112-11
 host 192.168.0.112
object network obj-192.168.0.112-12
 host 192.168.0.112
object network obj-192.168.0.112-13
 host 192.168.0.112

Can't I eliminate all of these lines for just

object network obj-192.168.0.112
 host 192.168.0.112

then use that same object for the rest of the nat statement

 so instead of this:

object network obj-192.168.0.112-01
 nat (inside,outsidet) static 209.91.162.153 service tcp ssh ssh
object network obj-192.168.0.112-02
 nat (inside,outside) static 209.91.162.153 service tcp 49924 49924
object network obj-192.168.0.112-03
 nat (inside,outside) static 209.91.162.153 service tcp 49925 49925

do this:

object network obj-192.168.0.112 nat (inside,outside) static 209.91.162.153 service tcp ssh ssh
object network obj-192.168.0.112 nat (inside,outside) static 209.91.162.153 service tcp 49924 49924
object network obj-192.168.0.112 nat (inside,outside) static 209.91.162.153 service tcp 49925 49925
 
I want to clean up the config.  The conversion added 2.5 extra pages !!
0
Comment
Question by:samashcam
  • 9
  • 7
16 Comments
 

Author Comment

by:samashcam
Comment Utility
Sorry the second part should read like this:

object network obj-192.168.0.112
 nat (inside,Vianet) static 209.91.162.153 service tcp ssh ssh
object network obj-192.168.0.112
 nat (inside,Vianet) static 209.91.162.153 service tcp 49924 49924
object network obj-192.168.0.112
 nat (inside,Vianet) static 209.91.162.153 service tcp 49925 49925
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
Comment Utility
If you are using a 1 to 1 NAT you could even more simplify it:

object network obj-209.91.162.153
  host 209.91.162.153
object network PublicServer_NAT1
  host 192.168.0.112
  nat (inside,outside) obj-209.91.162.153
access-list outside_access_in line 1 extended permit tcp any host 192.168.0.112 eq 49924
access-list outside_access_in line 2 extended permit tcp any host 192.168.0.112 eq 49925

etc
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Oh, and yes you can do that cleanup. Off course you have to watch carefully which names are you in what place.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
You might find this interesting (if you hadn't found it allready): http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968
0
 

Author Comment

by:samashcam
Comment Utility
Humm, I see how it's done now.. Brain still stuck the old way..lol.. It's almost turned into programming instead of just configuring a line for what you want.

Thx a bunch for the lesson!
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
You're welcome:)
And Thx for the points.
0
 

Author Comment

by:samashcam
Comment Utility
What if they aren't all 1 to 1 NAT?

Do I have to configure them differently?

ex:

static (inside,outside) tcp interface 5500 192.168.0.1 5500 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.250 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.0.121 3390 netmask 255.255.255.255
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Then you should do it on a per (inside) host base:

object network obj-192.168.0.1
host 192.168.0.1
nat (inside,outside) static interface service tcp 5500 5500

object network obj-192.168.0.121
host 192.168.0.121
nat (inside,outside) static interface service tcp 3390 3390

object network obj-192.168.0.250
host 192.168.0.250
nat (inside,outside) static interface service tcp 3389 3389
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:samashcam
Comment Utility
Thanks again. Is there anything I should watch for the cutover? This is a live environment and ! was given a 10 min window to resolve anything! No test environment.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Two things:
Use clear xlate after you made the changes.
Don't write to memory untill you are sure it works. If it doesn't, then you just have to reload to restore the previous config.

Well ok, three things: first make a backup of the configuration!
0
 

Author Comment

by:samashcam
Comment Utility
Thanks again for your help! I've never had issues with upgrading a code before but last time I upgraded the two firewallls that were in failover to the 8.3 code, everything went to hell in a 747! A little leary about doing this again! lol
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
You're welcome (again ;)

And good luck!
0
 

Author Comment

by:samashcam
Comment Utility
One other thing..sorry , a little paranoid ;)  if I have two inside ips natted to one outside ip, is this what it should look like in the config?

object network obj-192.168.0.112-01
 host 192.168.0.112
object network obj-192.168.0.112-02
 host 192.168.0.112
object network obj-192.168.0.184-01
 host 192.168.0.184
object network obj-192.168.0.184-02
 host 192.168.0.184

object network obj-192.168.0.112-01
 nat (inside,outsidet) static 209.91.162.153 service tcp ssh ssh
object network obj-192.168.0.112-02
 nat (inside,outside) static 209.91.162.153 service tcp 49924 49924
object network obj-192.168.0.184-01
 nat (inside,Vianet) static 209.91.162.153 service tcp https https
object network obj-192.168.0.184-02
 nat (inside,Vianet) static 209.91.162.153 service tcp www www
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
I am afraid so :-~
0
 

Author Comment

by:samashcam
Comment Utility
Thanks erniebeek!  Really appreciate it! Guys like you make this membership soooo valuable!
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Oh stop it!

You're making me blush. :))
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now