PIX Global and NAT statements convert to ASA

I assume you mean to convert it to an ASA running 8.3+ code as prior to that it was the same.  However, you're config seems a little "off" there.  

nat (inside) 0 0.0.0.0. 0.0.0.0 0 0

means to effectively exempt everything from NAT which means

nat (inside) 1 172.16.32.0 255.255.255.0 0 0
nat (inside) 1 172.16.35.0 255.255.255.0 0 0

don't do anything.  And unless you have other interfaces also means the following does nothing.

global (outside) 1 192.168.5.5

And since there is no nat statement for id 2, the following also does nothing.
global (outside) 2 interface

So to duplicate this nat/global config on an ASA, just make sure nat-control is off  (no nat-control) but it isn't even there in 8.3 anymore which means that to get the same results you don't have to do anything on your ASA and it'll work the same.

Am I missing something here?

Hi Cyclops3590,

Here is the entire configuration that is running on the PIX right now. I need to replace the PIX with an ASA 5505. The PIX has been in production for about ten years so there may be nat statements that have been added through the years, not sure. What would I have to change on the below configuration to replace the PIX with the ASA?  Thanks for your help, I truly appreciate it.

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password k4HlcGX2lC1ypFOm encrypted

passwd y5Nu/Nt1/5dK8Iuf encrypted

hostname fw

clock timezone EST -5

clock summer-time ESD recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list permit-in permit icmp any any echo

access-list permit-in permit icmp any any echo-reply

access-list permit-in permit ip host 192.168.8.10 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.11 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.12 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.13 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.24 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.7 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.22 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.34 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.25 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.45 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.46 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.47 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.48 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.49 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.50 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.51 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.52 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.154 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.17 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.41 192.168.5.0 255.255.255.0

access-list permit-in permit tcp 192.168.7.0 255.255.255.0 host 192.168.5.36 eq https

access-list permit-in permit ip host 192.168.8.150 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.148 192.168.5.0 255.255.255.0

access-list permit-in permit ip host 192.168.8.149 192.168.5.0 255.255.255.0

pager lines 24

logging console debugging

logging monitor debugging

mtu outside 1500

mtu inside 1500

ip address outside 192.168.15.5 255.255.255.252

ip address inside 192.168.5.5 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 192.168.5.251

global (outside) 2 interface

nat (inside) 1 172.16.32.0 255.255.255.0 0 0

nat (inside) 1 172.16.35.0 255.255.255.0 0 0

nat (inside) 1 172.16.36.0 255.255.255.0 0 0

nat (inside) 1 172.16.37.0 255.255.255.0 0 0

nat (inside) 1 172.16.38.0 255.255.255.0 0 0

nat (inside) 1 172.16.39.0 255.255.255.0 0 0

nat (inside) 1 172.16.40.0 255.255.255.0 0 0

nat (inside) 1 172.16.45.0 255.255.255.0 0 0

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.5.90 192.168.5.90 netmask 255.255.255.255 0 0

access-group permit-in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.15.5 1

route inside 172.16.32.0 255.255.255.0 192.168.5.25 1

route inside 172.16.35.0 255.255.255.0 192.168.5.25 1

route inside 172.16.36.0 255.255.255.0 192.168.5.25 1

route inside 172.16.37.0 255.255.255.0 192.168.5.25 1

route inside 172.16.38.0 255.255.255.0 192.168.5.25 1

route inside 172.16.39.0 255.255.255.0 192.168.5.25 1

route inside 172.16.40.0 255.255.255.0 192.168.5.25 1

route inside 172.16.45.0 255.255.255.0 192.168.5.25 1

route inside 192.168.205.0 255.255.255.0 192.168.5.25 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.5.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:d825bff50561364fb1ade3f2547c77ea

: end

are you going to buy a new ASA or do you have one already that just needs to be configured?  If you have one, can you tell me what OS version it is running?  It makes a difference in syntax for some components

if it is before 8.3 you use the same commands.  Configuring of the interfaces are slightly different as its more hierarchical like on an IOS device but its very intuitive so you shouldn't have a problem there.  

If you use 8.3+ then you just remove all of the nat related commands.  This is because nat-control is completely removed at this point and if there is no rule for translation then it just passes the traffic (if an ACL allows it) thru without any modifications.  And since you have the nat (inside) 0 which effectively says don't NAT anything going from inside to anywhere and the static is just an identity NAT it doesn't even need to be there.  All of the nat (inside) 1 commands will never be used due to the nat 0.  The global (outside) 2 command is never used because there isn't a corresponding nat (inside) 2 and since none of the nat (inside) 1's will be used, the global (outside) 1 won't be used.

Though I must say I find the global (outside) 1 command odd since you're intending to NAT inside hosts to an inside IP on the outside subnet.  It'll work as I'm guessing routing forwards it back to the PIX, just odd.  But I'm unsure how routing works as your default route is going to the outside address assigned to your outside interface.

Finally, it seems like all but one of the entries on your ACL is some subnet to 192.168.5.0/24.  This is a prime candidate for using object-groups.

Example

object-group network allowed-subnets
   network-object  1.2.3.4.0 255.255.255.0
  .....  just add the other network-objects

then do
access-list inside-in permit ip object-group allowed-subnets 192.168.5.0 255.255.255.0

Then just maintain the object-group and it auto-updates the ACL.  Makes ACLs easier to read and maintain.

The version is:

Cisco Adaptive Security Appliance Software Version 9.0(1)
Device Manager Version 7.1(1)52


That is what gets me lost, the whole objects thing. I just cannot seem to wrap me head around it...

So I am a little unclear on what I need to change. Can you clarify?

I hope to try this in a few days. I will let you know if it works or it all breaks :-)