Cisco ASA 5520 convert pre-8.3 NAT rules to 8.3 NAT rules

SvenIA
SvenIA used Ask the Experts™
on
Hi Experts,

I'm struggling with the new NAT rules in the new Cisco iOS software. I see a lot of examples on the internet, but I have to know for sure that I have the correct new NAT rules.

I have the old rules in a copy of the running config. This afternoon I have to implement the rules in the new format in an ASA5520 firewall. I was hoping that someone could give me a hand in converting a few of these rules. Here they are,

- global (outside) 2 192.168.80.1-192.168.80.254 netmask 255.255.255.0

- global (outside) 1 interface

- nat (outside) 0 access-list outside_nat0_inbound outside

- nat (inside) 1 132.147.192.0 255.255.192.0

- static (inside,outside) tcp 194.122.137.91 smtp 10.10.2.34 smtp netmask 255.255.255.255

- static (outside,inside) 10.10.2.50 192.168.80.2 netmask 255.255.255.255


I know it's a lot to ask, but I hope that someone can help me out here!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
The upgrade process from 8.2.x to 8.3.1 _should_ automatically upgrade the NAT rules.

It is worthwhile reading through this document.

ACLs now reference the native source and destination, so an ACL to allow inbound SMTP would look like

access-list SMTP-IN extended permit tcp any object <private IP> eq smtp

Using objects, the NAT rule would look like

object service tcp-smtp
 service tcp source eq smtp

nat (inside,outside) source static <private IP> <public IP> service tcp-smtp tcp-smtp

Author

Commented:
Thanks for the reply!!

Are the ACLs converted automaticly also?

What is the best upgrade path from 7.1(2) to 8.44? On a Cisco website I read the supported path is,

7.2 --> 8.0 --> 8.2 --> 8.3

But what when I want to go to 8.4?
For the ASA to automatically upgrade the config you need to follow each step.

The only guide I can find at the moment is http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

I presume that as you are upgrading you have Smartnet Support, this allows you to ask TAC to confirm the exact upgrade release versions you should use to get to 8.4.3.

Have you also upgraded the memory in the ASA?

Author

Commented:
Thanks,

Yes there is a Smartnet contract. I bought a 1GB mem module, so I think i'm good to go!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial