Solved

PIX Global and NAT statements convert to ASA

Posted on 2013-06-24
8
491 Views
Last Modified: 2013-12-06
I am tasked with replacing a old PIX with a ASA 5505. All was fine until I got to the GLOBAL and NAT commands, when the ASA stated that these are deprecated. After reading documentation online, I unfortunately cannot wrap my head around this.  The commands I need to covert are:

global (outside) 1 192.168.5.5
global (outside) 2 interface


nat (inside) 1 172.16.32.0 255.255.255.0 0 0
nat (inside) 1 172.16.35.0 255.255.255.0 0 0
nat (inside) 0 0.0.0.0. 0.0.0.0 0 0

How can I convert these for the ASA?  

Thanks
0
Comment
Question by:wayy2be
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39274770
I assume you mean to convert it to an ASA running 8.3+ code as prior to that it was the same.  However, you're config seems a little "off" there.  

nat (inside) 0 0.0.0.0. 0.0.0.0 0 0

means to effectively exempt everything from NAT which means

nat (inside) 1 172.16.32.0 255.255.255.0 0 0
nat (inside) 1 172.16.35.0 255.255.255.0 0 0

don't do anything.  And unless you have other interfaces also means the following does nothing.

global (outside) 1 192.168.5.5

And since there is no nat statement for id 2, the following also does nothing.
global (outside) 2 interface

So to duplicate this nat/global config on an ASA, just make sure nat-control is off  (no nat-control) but it isn't even there in 8.3 anymore which means that to get the same results you don't have to do anything on your ASA and it'll work the same.

Am I missing something here?
0
 

Author Comment

by:wayy2be
ID: 39283337
Hi Cyclops3590,

Here is the entire configuration that is running on the PIX right now. I need to replace the PIX with an ASA 5505. The PIX has been in production for about ten years so there may be nat statements that have been added through the years, not sure. What would I have to change on the below configuration to replace the PIX with the ASA?  Thanks for your help, I truly appreciate it.

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password k4HlcGX2lC1ypFOm encrypted

passwd y5Nu/Nt1/5dK8Iuf encrypted

hostname fw

clock timezone EST -5

clock summer-time ESD recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list permit-in permit icmp any any echo

access-list permit-in permit icmp any any echo-reply

access-list permit-in permit ip host 192.168.8.10 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.11 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.12 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.13 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.24 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.7 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.22 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.34 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.25 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.45 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.46 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.47 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.48 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.49 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.50 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.51 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.52 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.154 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.17 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.41 192.168.5.0 255.255.255.0

access-list permit-in permit tcp 192.168.7.0 255.255.255.0 host 192.168.5.36 eq https

access-list permit-in permit ip host 192.168.8.150 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.148 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.149 192.168.5.0 255.255.255.0

pager lines 24

logging console debugging

logging monitor debugging

mtu outside 1500

mtu inside 1500

ip address outside 192.168.15.5 255.255.255.252

ip address inside 192.168.5.5 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 192.168.5.251

global (outside) 2 interface

nat (inside) 1 172.16.32.0 255.255.255.0 0 0

nat (inside) 1 172.16.35.0 255.255.255.0 0 0

nat (inside) 1 172.16.36.0 255.255.255.0 0 0

nat (inside) 1 172.16.37.0 255.255.255.0 0 0

nat (inside) 1 172.16.38.0 255.255.255.0 0 0

nat (inside) 1 172.16.39.0 255.255.255.0 0 0

nat (inside) 1 172.16.40.0 255.255.255.0 0 0

nat (inside) 1 172.16.45.0 255.255.255.0 0 0

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.5.90 192.168.5.90 netmask 255.255.255.255 0 0

access-group permit-in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.15.5 1

route inside 172.16.32.0 255.255.255.0 192.168.5.25 1

route inside 172.16.35.0 255.255.255.0 192.168.5.25 1

route inside 172.16.36.0 255.255.255.0 192.168.5.25 1

route inside 172.16.37.0 255.255.255.0 192.168.5.25 1

route inside 172.16.38.0 255.255.255.0 192.168.5.25 1

route inside 172.16.39.0 255.255.255.0 192.168.5.25 1

route inside 172.16.40.0 255.255.255.0 192.168.5.25 1

route inside 172.16.45.0 255.255.255.0 192.168.5.25 1

route inside 192.168.205.0 255.255.255.0 192.168.5.25 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.5.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:d825bff50561364fb1ade3f2547c77ea

: end
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39283910
are you going to buy a new ASA or do you have one already that just needs to be configured?  If you have one, can you tell me what OS version it is running?  It makes a difference in syntax for some components
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39283927
if it is before 8.3 you use the same commands.  Configuring of the interfaces are slightly different as its more hierarchical like on an IOS device but its very intuitive so you shouldn't have a problem there.  

If you use 8.3+ then you just remove all of the nat related commands.  This is because nat-control is completely removed at this point and if there is no rule for translation then it just passes the traffic (if an ACL allows it) thru without any modifications.  And since you have the nat (inside) 0 which effectively says don't NAT anything going from inside to anywhere and the static is just an identity NAT it doesn't even need to be there.  All of the nat (inside) 1 commands will never be used due to the nat 0.  The global (outside) 2 command is never used because there isn't a corresponding nat (inside) 2 and since none of the nat (inside) 1's will be used, the global (outside) 1 won't be used.

Though I must say I find the global (outside) 1 command odd since you're intending to NAT inside hosts to an inside IP on the outside subnet.  It'll work as I'm guessing routing forwards it back to the PIX, just odd.  But I'm unsure how routing works as your default route is going to the outside address assigned to your outside interface.

Finally, it seems like all but one of the entries on your ACL is some subnet to 192.168.5.0/24.  This is a prime candidate for using object-groups.

Example

object-group network allowed-subnets
   network-object  1.2.3.4.0 255.255.255.0
  .....  just add the other network-objects

then do
access-list inside-in permit ip object-group allowed-subnets 192.168.5.0 255.255.255.0

Then just maintain the object-group and it auto-updates the ACL.  Makes ACLs easier to read and maintain.
0
 

Author Comment

by:wayy2be
ID: 39286113
The version is:

Cisco Adaptive Security Appliance Software Version 9.0(1)
Device Manager Version 7.1(1)52


That is what gets me lost, the whole objects thing. I just cannot seem to wrap me head around it...
0
 

Author Comment

by:wayy2be
ID: 39287189
So I am a little unclear on what I need to change. Can you clarify?
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 39296578
sorry, been really busy lately and couldn't log on.  What I am saying is that based on your current config of basically no translations, using the out of box 9.x configuration (meaning adding zero NAT commands) will work the same way as your current config.

This is because in 8.3 and above if there is no translation rule found it forwards the packet without doing any translation.  Since all you really have is identity NAT'ing in your configuration it is the same as doing zero NAT commands in 8.3 and above.
0
 

Author Comment

by:wayy2be
ID: 39345703
I hope to try this in a few days. I will let you know if it works or it all breaks :-)
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question