?
Solved

ASA 5510 pre and post 8.3 NATting and ACLs

Posted on 2012-08-31
10
Medium Priority
?
959 Views
Last Modified: 2012-09-17
In the near future I plan on updating all of my firewalls to 8.4, currently we're on a mix of 8.0 and 8.2. I've heard that if your equipment is on 8.2 there's an auto-conversion feature when upgrading to 8.3. However, I do not want to rely on that and am trying my hand at re-writing the NAT and ACLs myself. Attached is my pre 8.3 ASA 5510 config (santized) and a document that shows the particular sections pre 8.3 and what I think they should be after the upgrade.

Can someone take a look and let me know if these look right?
SiteA-831-Sanitize.txt
SiteA-831-8dot3changes.txt
0
Comment
Question by:travisryan
  • 6
  • 4
10 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 1000 total points
ID: 38354414
Well it looks like someone did his homework ;)

As far as I can see these look fine so no problem there.

I assume you already came across this, but if you didn't it might be helpfull: http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
0
 

Author Comment

by:travisryan
ID: 38354583
Thanks, that's reassuring.

I was specifically worried about the last section shown below. I wasn't sure if those 3 fit together and if I was "declaring" the objects the correct way.

-----
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 173.17.1.0 255.255.255.0
==
object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface

object network obj-any-01
   subnet 0.0.0.0 0.0.0.0
object network obj-173.17.1.0
   subnet 173.17.1.0 255.255.255.0
nat (inside,dmz) dynamic obj-173.17.1.0
-----
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38354664
Looks like someone needs a pair of glasses (me) :-~

Just checked to see if it wasn't a typo: nat (inside,dmz) dynamic obj-173.17.1.0

That should be:

nat (dmz,outside) dynamic interface
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38354675
Like in the link I sent you (and I quote):

Old Configuration

nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 10.1.1.0 255.255.255.0
global (outside) 1 209.165.201.3

Migrated Configuration

object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic 209.165.201.3
object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
nat (dmz,outside) dynamic 209.165.201.3


And in your case using 'interface' instead of a public IP.
0
 

Author Comment

by:travisryan
ID: 38354736
This is where I'm confused, why would it be "nat (dmz,outside)" even though (as I understand it), you're NATting between the inside of the network and the dmz?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38354813
Well looking at:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 173.17.1.0 255.255.255.0


You are natting the 173.17.1.0 network to the outside interface IP (for internet access), the same with the inside (only your natting all possible networks there).
0
 

Author Comment

by:travisryan
ID: 38354833
Ok, yes, this makes sense.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38355009
Even neater would be to only put in the used subnet instead of 0.0.0.0 (for inside that is).
0
 

Author Comment

by:travisryan
ID: 38355204
We have multiple internal subnets so that statement would get complicated quickly.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38355356
Ah, ok. Then this is the easiest way.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question