NAT command conversion PIX 6.3 > 8.4(2)

isclicensing
isclicensing used Ask the Experts™
on
Hello,
 
 
I am in the process of migrating a production firewall from PIX 6.3 to ASA 8.4(2). This is going to be a complete firewall rebuild and I will not be upgrading the configs because they have become out of date and very bloated. I am in the process of converting the NAT commands and I was hoping somebody could verify my conversions. Please see the old and new commands below.
 
 
-----------OLD Commands-----------
 
 
global (outside) 1 interface
global (intApps) 2 interface
 
 
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 10.1.1.233 255.255.255.255 0 0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
 
 
static (inside,intApps) 10.1.2.0 10.1.2.0 netmask 255.255.255.0 0 0
static (inside,intApps) 10.1.3.0 10.1.3.0 netmask 255.255.255.0 0 0
static (inside,intApps) 10.1.4.0 10.1.4.0 netmask 255.255.255.0 0 0
 
 
static (inside,intApps) 172.1.1.176 10.1.5.176 netmask 255.255.255.240 0 0
static (inside,intApps) 172.1.2.176 10.1.6.176 netmask 255.255.255.240 0
 
 
---------------------------------NEW Commands-------------------------------------------------
 
 
object network host_1
        host 10.1.1.233
nat (inside,intapps) dynamic interface
 
 
 
 
object network NAT-Range-Network_1
        subnet 172.1.1.177 172.1.1.190
 
 
object network Network_1
        subnet 10.1.5.176 255.255.255.240
nat (inside,intapps) static NAT-Range-Network_1
 
 
 
 
 
 
 
 
object network NAT-Range-Network_2
        subnet 172.1.2.177 172.1.2.190
 
object network Network_2
        subnet 10.1.6.176 255.255.255.240
nat (inside,intapps) static NAT-Range-Network_2
 
 
 
 
 
 
-----------------------------------------------------------------------------------------------------
 
 
I am hoping these commands would be enough to replicate the previous functionality. I removed all the static identity NATs because NAT control is no longer in place so those rules are not required. Additionally I didn't re-create the rules that had NAT ID 0 or 1 because it didn't look like they were doing anything.
 
 
Also can someone please let me know if that is the correct way to do the static NAT commands at the bottom.
 
 
Please let me know if this configuration will work or where I need to correct some things.
 
 
Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Network Architect
Commented:
I know you're looking for an answer so I'll take a shot.  

First, I suspect you have a typo in your configs as listed, and "nat (inside) 0 0.0.0.0 0.0.0.0" should be nat 1 instead.  But maybe I'm wrong on that.

We also don't see what your no-nat ACL is, but assuming it is a subnet for, for example, a VPN pool, the standard 8.3 (and later) config looks like this. So if your ACL looked like "permit ip any 192.168.254.0 255.255.255.0", the config should look like:

object network obj-no-nat
 subnet 192.168.254.0 255.255.255.0

nat (inside,outside) 1 source static any any destination static obj-no-nat obj-no-nat

As for the statics, I haven't seen it done like that, and I suspect where you're trying to define a range of addresses  you should use an actual subnet mask. So I would expect

object network NAT-Range-Network_1
        subnet 172.1.1.177 172.1.1.190

should instead look like

object network NAT-Range-Network_1
        subnet 172.1.1.176 255.255.255.240

Author

Commented:
Thanks for the info. It was a typo on my part in the range command I was suppose to have the correct subnet. Also that was not a typo on the dynamic NAT, it actually was at 0 which is why I assumed there was no NAT occuring from that rule.

Thanks!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial