Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

conversion of nat from asa8.2 to asa8.3

Posted on 2011-03-21
16
Medium Priority
?
931 Views
Last Modified: 2012-05-11
I've upgraded my ASA5510 from version 8.2 to 8.3. I've noticed a big difference in the natting. When the conversion was done from the upgrade, a lot of the network objects where repeated. Can I use a single network object for the network object that is the same? There are multiple lines for a single network object and during the conversion it added -01, -02,etc. But it's the same network object.

Ex:

object network obj-192.168.0.112-07
 host 192.168.0.112
object network obj-192.168.0.112-08
 host 192.168.0.112
object network obj-192.168.0.112-09
 host 192.168.0.112
object network obj-192.168.0.112-10
 host 192.168.0.112
object network obj-192.168.0.112-11
 host 192.168.0.112
object network obj-192.168.0.112-12
 host 192.168.0.112
object network obj-192.168.0.112-13
 host 192.168.0.112

Can't I eliminate all of these lines for just

object network obj-192.168.0.112
 host 192.168.0.112

then use that same object for the rest of the nat statement

 so instead of this:

object network obj-192.168.0.112-01
 nat (inside,outsidet) static 209.91.162.153 service tcp ssh ssh
object network obj-192.168.0.112-02
 nat (inside,outside) static 209.91.162.153 service tcp 49924 49924
object network obj-192.168.0.112-03
 nat (inside,outside) static 209.91.162.153 service tcp 49925 49925

do this:

object network obj-192.168.0.112 nat (inside,outside) static 209.91.162.153 service tcp ssh ssh
object network obj-192.168.0.112 nat (inside,outside) static 209.91.162.153 service tcp 49924 49924
object network obj-192.168.0.112 nat (inside,outside) static 209.91.162.153 service tcp 49925 49925
 
I want to clean up the config.  The conversion added 2.5 extra pages !!
0
Comment
Question by:samashcam
  • 9
  • 7
16 Comments
 

Author Comment

by:samashcam
ID: 35186482
Sorry the second part should read like this:

object network obj-192.168.0.112
 nat (inside,Vianet) static 209.91.162.153 service tcp ssh ssh
object network obj-192.168.0.112
 nat (inside,Vianet) static 209.91.162.153 service tcp 49924 49924
object network obj-192.168.0.112
 nat (inside,Vianet) static 209.91.162.153 service tcp 49925 49925
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 35187655
If you are using a 1 to 1 NAT you could even more simplify it:

object network obj-209.91.162.153
  host 209.91.162.153
object network PublicServer_NAT1
  host 192.168.0.112
  nat (inside,outside) obj-209.91.162.153
access-list outside_access_in line 1 extended permit tcp any host 192.168.0.112 eq 49924
access-list outside_access_in line 2 extended permit tcp any host 192.168.0.112 eq 49925

etc
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35187658
Oh, and yes you can do that cleanup. Off course you have to watch carefully which names are you in what place.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35187668
You might find this interesting (if you hadn't found it allready): http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968
0
 

Author Comment

by:samashcam
ID: 35189392
Humm, I see how it's done now.. Brain still stuck the old way..lol.. It's almost turned into programming instead of just configuring a line for what you want.

Thx a bunch for the lesson!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35189420
You're welcome:)
And Thx for the points.
0
 

Author Comment

by:samashcam
ID: 35194874
What if they aren't all 1 to 1 NAT?

Do I have to configure them differently?

ex:

static (inside,outside) tcp interface 5500 192.168.0.1 5500 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.250 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.0.121 3390 netmask 255.255.255.255
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35197110
Then you should do it on a per (inside) host base:

object network obj-192.168.0.1
host 192.168.0.1
nat (inside,outside) static interface service tcp 5500 5500

object network obj-192.168.0.121
host 192.168.0.121
nat (inside,outside) static interface service tcp 3390 3390

object network obj-192.168.0.250
host 192.168.0.250
nat (inside,outside) static interface service tcp 3389 3389
0
 

Author Comment

by:samashcam
ID: 35198444
Thanks again. Is there anything I should watch for the cutover? This is a live environment and ! was given a 10 min window to resolve anything! No test environment.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35198727
Two things:
Use clear xlate after you made the changes.
Don't write to memory untill you are sure it works. If it doesn't, then you just have to reload to restore the previous config.

Well ok, three things: first make a backup of the configuration!
0
 

Author Comment

by:samashcam
ID: 35199070
Thanks again for your help! I've never had issues with upgrading a code before but last time I upgraded the two firewallls that were in failover to the 8.3 code, everything went to hell in a 747! A little leary about doing this again! lol
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35199085
You're welcome (again ;)

And good luck!
0
 

Author Comment

by:samashcam
ID: 35199140
One other thing..sorry , a little paranoid ;)  if I have two inside ips natted to one outside ip, is this what it should look like in the config?

object network obj-192.168.0.112-01
 host 192.168.0.112
object network obj-192.168.0.112-02
 host 192.168.0.112
object network obj-192.168.0.184-01
 host 192.168.0.184
object network obj-192.168.0.184-02
 host 192.168.0.184

object network obj-192.168.0.112-01
 nat (inside,outsidet) static 209.91.162.153 service tcp ssh ssh
object network obj-192.168.0.112-02
 nat (inside,outside) static 209.91.162.153 service tcp 49924 49924
object network obj-192.168.0.184-01
 nat (inside,Vianet) static 209.91.162.153 service tcp https https
object network obj-192.168.0.184-02
 nat (inside,Vianet) static 209.91.162.153 service tcp www www
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35199438
I am afraid so :-~
0
 

Author Comment

by:samashcam
ID: 35201994
Thanks erniebeek!  Really appreciate it! Guys like you make this membership soooo valuable!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35202168
Oh stop it!

You're making me blush. :))
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question