Solved

PIX Global and NAT statements convert to ASA

Posted on 2013-06-24
8
475 Views
Last Modified: 2013-12-06
I am tasked with replacing a old PIX with a ASA 5505. All was fine until I got to the GLOBAL and NAT commands, when the ASA stated that these are deprecated. After reading documentation online, I unfortunately cannot wrap my head around this.  The commands I need to covert are:

global (outside) 1 192.168.5.5
global (outside) 2 interface


nat (inside) 1 172.16.32.0 255.255.255.0 0 0
nat (inside) 1 172.16.35.0 255.255.255.0 0 0
nat (inside) 0 0.0.0.0. 0.0.0.0 0 0

How can I convert these for the ASA?  

Thanks
0
Comment
Question by:wayy2be
  • 4
  • 4
8 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
I assume you mean to convert it to an ASA running 8.3+ code as prior to that it was the same.  However, you're config seems a little "off" there.  

nat (inside) 0 0.0.0.0. 0.0.0.0 0 0

means to effectively exempt everything from NAT which means

nat (inside) 1 172.16.32.0 255.255.255.0 0 0
nat (inside) 1 172.16.35.0 255.255.255.0 0 0

don't do anything.  And unless you have other interfaces also means the following does nothing.

global (outside) 1 192.168.5.5

And since there is no nat statement for id 2, the following also does nothing.
global (outside) 2 interface

So to duplicate this nat/global config on an ASA, just make sure nat-control is off  (no nat-control) but it isn't even there in 8.3 anymore which means that to get the same results you don't have to do anything on your ASA and it'll work the same.

Am I missing something here?
0
 

Author Comment

by:wayy2be
Comment Utility
Hi Cyclops3590,

Here is the entire configuration that is running on the PIX right now. I need to replace the PIX with an ASA 5505. The PIX has been in production for about ten years so there may be nat statements that have been added through the years, not sure. What would I have to change on the below configuration to replace the PIX with the ASA?  Thanks for your help, I truly appreciate it.

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password k4HlcGX2lC1ypFOm encrypted

passwd y5Nu/Nt1/5dK8Iuf encrypted

hostname fw

clock timezone EST -5

clock summer-time ESD recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list permit-in permit icmp any any echo

access-list permit-in permit icmp any any echo-reply

access-list permit-in permit ip host 192.168.8.10 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.11 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.12 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.13 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.24 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.7 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.22 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.34 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.25 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.45 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.46 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.47 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.48 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.49 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.50 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.51 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.52 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.154 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.17 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.41 192.168.5.0 255.255.255.0

access-list permit-in permit tcp 192.168.7.0 255.255.255.0 host 192.168.5.36 eq https

access-list permit-in permit ip host 192.168.8.150 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.148 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.149 192.168.5.0 255.255.255.0

pager lines 24

logging console debugging

logging monitor debugging

mtu outside 1500

mtu inside 1500

ip address outside 192.168.15.5 255.255.255.252

ip address inside 192.168.5.5 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 192.168.5.251

global (outside) 2 interface

nat (inside) 1 172.16.32.0 255.255.255.0 0 0

nat (inside) 1 172.16.35.0 255.255.255.0 0 0

nat (inside) 1 172.16.36.0 255.255.255.0 0 0

nat (inside) 1 172.16.37.0 255.255.255.0 0 0

nat (inside) 1 172.16.38.0 255.255.255.0 0 0

nat (inside) 1 172.16.39.0 255.255.255.0 0 0

nat (inside) 1 172.16.40.0 255.255.255.0 0 0

nat (inside) 1 172.16.45.0 255.255.255.0 0 0

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.5.90 192.168.5.90 netmask 255.255.255.255 0 0

access-group permit-in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.15.5 1

route inside 172.16.32.0 255.255.255.0 192.168.5.25 1

route inside 172.16.35.0 255.255.255.0 192.168.5.25 1

route inside 172.16.36.0 255.255.255.0 192.168.5.25 1

route inside 172.16.37.0 255.255.255.0 192.168.5.25 1

route inside 172.16.38.0 255.255.255.0 192.168.5.25 1

route inside 172.16.39.0 255.255.255.0 192.168.5.25 1

route inside 172.16.40.0 255.255.255.0 192.168.5.25 1

route inside 172.16.45.0 255.255.255.0 192.168.5.25 1

route inside 192.168.205.0 255.255.255.0 192.168.5.25 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.5.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:d825bff50561364fb1ade3f2547c77ea

: end
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
are you going to buy a new ASA or do you have one already that just needs to be configured?  If you have one, can you tell me what OS version it is running?  It makes a difference in syntax for some components
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
if it is before 8.3 you use the same commands.  Configuring of the interfaces are slightly different as its more hierarchical like on an IOS device but its very intuitive so you shouldn't have a problem there.  

If you use 8.3+ then you just remove all of the nat related commands.  This is because nat-control is completely removed at this point and if there is no rule for translation then it just passes the traffic (if an ACL allows it) thru without any modifications.  And since you have the nat (inside) 0 which effectively says don't NAT anything going from inside to anywhere and the static is just an identity NAT it doesn't even need to be there.  All of the nat (inside) 1 commands will never be used due to the nat 0.  The global (outside) 2 command is never used because there isn't a corresponding nat (inside) 2 and since none of the nat (inside) 1's will be used, the global (outside) 1 won't be used.

Though I must say I find the global (outside) 1 command odd since you're intending to NAT inside hosts to an inside IP on the outside subnet.  It'll work as I'm guessing routing forwards it back to the PIX, just odd.  But I'm unsure how routing works as your default route is going to the outside address assigned to your outside interface.

Finally, it seems like all but one of the entries on your ACL is some subnet to 192.168.5.0/24.  This is a prime candidate for using object-groups.

Example

object-group network allowed-subnets
   network-object  1.2.3.4.0 255.255.255.0
  .....  just add the other network-objects

then do
access-list inside-in permit ip object-group allowed-subnets 192.168.5.0 255.255.255.0

Then just maintain the object-group and it auto-updates the ACL.  Makes ACLs easier to read and maintain.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:wayy2be
Comment Utility
The version is:

Cisco Adaptive Security Appliance Software Version 9.0(1)
Device Manager Version 7.1(1)52


That is what gets me lost, the whole objects thing. I just cannot seem to wrap me head around it...
0
 

Author Comment

by:wayy2be
Comment Utility
So I am a little unclear on what I need to change. Can you clarify?
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
Comment Utility
sorry, been really busy lately and couldn't log on.  What I am saying is that based on your current config of basically no translations, using the out of box 9.x configuration (meaning adding zero NAT commands) will work the same way as your current config.

This is because in 8.3 and above if there is no translation rule found it forwards the packet without doing any translation.  Since all you really have is identity NAT'ing in your configuration it is the same as doing zero NAT commands in 8.3 and above.
0
 

Author Comment

by:wayy2be
Comment Utility
I hope to try this in a few days. I will let you know if it works or it all breaks :-)
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now