NAT command conversion PIX 6.3 > 8.4(2)

Hello,
 
 
I am in the process of migrating a production firewall from PIX 6.3 to ASA 8.4(2). This is going to be a complete firewall rebuild and I will not be upgrading the configs because they have become out of date and very bloated. I am in the process of converting the NAT commands and I was hoping somebody could verify my conversions. Please see the old and new commands below.
 
 
-----------OLD Commands-----------
 
 
global (outside) 1 interface
global (intApps) 2 interface
 
 
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 10.1.1.233 255.255.255.255 0 0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
 
 
static (inside,intApps) 10.1.2.0 10.1.2.0 netmask 255.255.255.0 0 0
static (inside,intApps) 10.1.3.0 10.1.3.0 netmask 255.255.255.0 0 0
static (inside,intApps) 10.1.4.0 10.1.4.0 netmask 255.255.255.0 0 0
 
 
static (inside,intApps) 172.1.1.176 10.1.5.176 netmask 255.255.255.240 0 0
static (inside,intApps) 172.1.2.176 10.1.6.176 netmask 255.255.255.240 0
 
 
---------------------------------NEW Commands-------------------------------------------------
 
 
object network host_1
        host 10.1.1.233
nat (inside,intapps) dynamic interface
 
 
 
 
object network NAT-Range-Network_1
        subnet 172.1.1.177 172.1.1.190
 
 
object network Network_1
        subnet 10.1.5.176 255.255.255.240
nat (inside,intapps) static NAT-Range-Network_1
 
 
 
 
 
 
 
 
object network NAT-Range-Network_2
        subnet 172.1.2.177 172.1.2.190
 
object network Network_2
        subnet 10.1.6.176 255.255.255.240
nat (inside,intapps) static NAT-Range-Network_2
 
 
 
 
 
 
-----------------------------------------------------------------------------------------------------
 
 
I am hoping these commands would be enough to replicate the previous functionality. I removed all the static identity NATs because NAT control is no longer in place so those rules are not required. Additionally I didn't re-create the rules that had NAT ID 0 or 1 because it didn't look like they were doing anything.
 
 
Also can someone please let me know if that is the correct way to do the static NAT commands at the bottom.
 
 
Please let me know if this configuration will work or where I need to correct some things.
 
 
Thanks!
isclicensingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

John MeggersNetwork ArchitectCommented:
I know you're looking for an answer so I'll take a shot.  

First, I suspect you have a typo in your configs as listed, and "nat (inside) 0 0.0.0.0 0.0.0.0" should be nat 1 instead.  But maybe I'm wrong on that.

We also don't see what your no-nat ACL is, but assuming it is a subnet for, for example, a VPN pool, the standard 8.3 (and later) config looks like this. So if your ACL looked like "permit ip any 192.168.254.0 255.255.255.0", the config should look like:

object network obj-no-nat
 subnet 192.168.254.0 255.255.255.0

nat (inside,outside) 1 source static any any destination static obj-no-nat obj-no-nat

As for the statics, I haven't seen it done like that, and I suspect where you're trying to define a range of addresses  you should use an actual subnet mask. So I would expect

object network NAT-Range-Network_1
        subnet 172.1.1.177 172.1.1.190

should instead look like

object network NAT-Range-Network_1
        subnet 172.1.1.176 255.255.255.240

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
isclicensingAuthor Commented:
Thanks for the info. It was a typo on my part in the range command I was suppose to have the correct subnet. Also that was not a typo on the dynamic NAT, it actually was at 0 which is why I assumed there was no NAT occuring from that rule.

Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.