wayy2be
asked on
PIX Global and NAT statements convert to ASA
I am tasked with replacing a old PIX with a ASA 5505. All was fine until I got to the GLOBAL and NAT commands, when the ASA stated that these are deprecated. After reading documentation online, I unfortunately cannot wrap my head around this. The commands I need to covert are:
global (outside) 1 192.168.5.5
global (outside) 2 interface
nat (inside) 1 172.16.32.0 255.255.255.0 0 0
nat (inside) 1 172.16.35.0 255.255.255.0 0 0
nat (inside) 0 0.0.0.0. 0.0.0.0 0 0
How can I convert these for the ASA?
Thanks
global (outside) 1 192.168.5.5
global (outside) 2 interface
nat (inside) 1 172.16.32.0 255.255.255.0 0 0
nat (inside) 1 172.16.35.0 255.255.255.0 0 0
nat (inside) 0 0.0.0.0. 0.0.0.0 0 0
How can I convert these for the ASA?
Thanks
ASKER
Hi Cyclops3590,
Here is the entire configuration that is running on the PIX right now. I need to replace the PIX with an ASA 5505. The PIX has been in production for about ten years so there may be nat statements that have been added through the years, not sure. What would I have to change on the below configuration to replace the PIX with the ASA? Thanks for your help, I truly appreciate it.
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password k4HlcGX2lC1ypFOm encrypted
passwd y5Nu/Nt1/5dK8Iuf encrypted
hostname fw
clock timezone EST -5
clock summer-time ESD recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list permit-in permit icmp any any echo
access-list permit-in permit icmp any any echo-reply
access-list permit-in permit ip host 192.168.8.10 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.11 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.12 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.13 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.24 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.7 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.22 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.34 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.25 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.45 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.46 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.47 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.48 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.49 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.50 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.51 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.52 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.154 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.17 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.41 192.168.5.0 255.255.255.0
access-list permit-in permit tcp 192.168.7.0 255.255.255.0 host 192.168.5.36 eq https
access-list permit-in permit ip host 192.168.8.150 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.148 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.149 192.168.5.0 255.255.255.0
pager lines 24
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.15.5 255.255.255.252
ip address inside 192.168.5.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.5.251
global (outside) 2 interface
nat (inside) 1 172.16.32.0 255.255.255.0 0 0
nat (inside) 1 172.16.35.0 255.255.255.0 0 0
nat (inside) 1 172.16.36.0 255.255.255.0 0 0
nat (inside) 1 172.16.37.0 255.255.255.0 0 0
nat (inside) 1 172.16.38.0 255.255.255.0 0 0
nat (inside) 1 172.16.39.0 255.255.255.0 0 0
nat (inside) 1 172.16.40.0 255.255.255.0 0 0
nat (inside) 1 172.16.45.0 255.255.255.0 0 0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.5.90 192.168.5.90 netmask 255.255.255.255 0 0
access-group permit-in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.15.5 1
route inside 172.16.32.0 255.255.255.0 192.168.5.25 1
route inside 172.16.35.0 255.255.255.0 192.168.5.25 1
route inside 172.16.36.0 255.255.255.0 192.168.5.25 1
route inside 172.16.37.0 255.255.255.0 192.168.5.25 1
route inside 172.16.38.0 255.255.255.0 192.168.5.25 1
route inside 172.16.39.0 255.255.255.0 192.168.5.25 1
route inside 172.16.40.0 255.255.255.0 192.168.5.25 1
route inside 172.16.45.0 255.255.255.0 192.168.5.25 1
route inside 192.168.205.0 255.255.255.0 192.168.5.25 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:d825bff5056 1364fb1ade 3f2547c77e a
: end
Here is the entire configuration that is running on the PIX right now. I need to replace the PIX with an ASA 5505. The PIX has been in production for about ten years so there may be nat statements that have been added through the years, not sure. What would I have to change on the below configuration to replace the PIX with the ASA? Thanks for your help, I truly appreciate it.
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password k4HlcGX2lC1ypFOm encrypted
passwd y5Nu/Nt1/5dK8Iuf encrypted
hostname fw
clock timezone EST -5
clock summer-time ESD recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list permit-in permit icmp any any echo
access-list permit-in permit icmp any any echo-reply
access-list permit-in permit ip host 192.168.8.10 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.11 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.12 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.13 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.24 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.7 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.22 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.34 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.25 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.45 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.46 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.47 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.48 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.49 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.50 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.51 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.52 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.154 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.17 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.41 192.168.5.0 255.255.255.0
access-list permit-in permit tcp 192.168.7.0 255.255.255.0 host 192.168.5.36 eq https
access-list permit-in permit ip host 192.168.8.150 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.148 192.168.5.0 255.255.255.0
access-list permit-in permit ip host 192.168.8.149 192.168.5.0 255.255.255.0
pager lines 24
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.15.5 255.255.255.252
ip address inside 192.168.5.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.5.251
global (outside) 2 interface
nat (inside) 1 172.16.32.0 255.255.255.0 0 0
nat (inside) 1 172.16.35.0 255.255.255.0 0 0
nat (inside) 1 172.16.36.0 255.255.255.0 0 0
nat (inside) 1 172.16.37.0 255.255.255.0 0 0
nat (inside) 1 172.16.38.0 255.255.255.0 0 0
nat (inside) 1 172.16.39.0 255.255.255.0 0 0
nat (inside) 1 172.16.40.0 255.255.255.0 0 0
nat (inside) 1 172.16.45.0 255.255.255.0 0 0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.5.90 192.168.5.90 netmask 255.255.255.255 0 0
access-group permit-in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.15.5 1
route inside 172.16.32.0 255.255.255.0 192.168.5.25 1
route inside 172.16.35.0 255.255.255.0 192.168.5.25 1
route inside 172.16.36.0 255.255.255.0 192.168.5.25 1
route inside 172.16.37.0 255.255.255.0 192.168.5.25 1
route inside 172.16.38.0 255.255.255.0 192.168.5.25 1
route inside 172.16.39.0 255.255.255.0 192.168.5.25 1
route inside 172.16.40.0 255.255.255.0 192.168.5.25 1
route inside 172.16.45.0 255.255.255.0 192.168.5.25 1
route inside 192.168.205.0 255.255.255.0 192.168.5.25 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:d825bff5056
: end
are you going to buy a new ASA or do you have one already that just needs to be configured? If you have one, can you tell me what OS version it is running? It makes a difference in syntax for some components
if it is before 8.3 you use the same commands. Configuring of the interfaces are slightly different as its more hierarchical like on an IOS device but its very intuitive so you shouldn't have a problem there.
If you use 8.3+ then you just remove all of the nat related commands. This is because nat-control is completely removed at this point and if there is no rule for translation then it just passes the traffic (if an ACL allows it) thru without any modifications. And since you have the nat (inside) 0 which effectively says don't NAT anything going from inside to anywhere and the static is just an identity NAT it doesn't even need to be there. All of the nat (inside) 1 commands will never be used due to the nat 0. The global (outside) 2 command is never used because there isn't a corresponding nat (inside) 2 and since none of the nat (inside) 1's will be used, the global (outside) 1 won't be used.
Though I must say I find the global (outside) 1 command odd since you're intending to NAT inside hosts to an inside IP on the outside subnet. It'll work as I'm guessing routing forwards it back to the PIX, just odd. But I'm unsure how routing works as your default route is going to the outside address assigned to your outside interface.
Finally, it seems like all but one of the entries on your ACL is some subnet to 192.168.5.0/24. This is a prime candidate for using object-groups.
Example
object-group network allowed-subnets
network-object 1.2.3.4.0 255.255.255.0
..... just add the other network-objects
then do
access-list inside-in permit ip object-group allowed-subnets 192.168.5.0 255.255.255.0
Then just maintain the object-group and it auto-updates the ACL. Makes ACLs easier to read and maintain.
If you use 8.3+ then you just remove all of the nat related commands. This is because nat-control is completely removed at this point and if there is no rule for translation then it just passes the traffic (if an ACL allows it) thru without any modifications. And since you have the nat (inside) 0 which effectively says don't NAT anything going from inside to anywhere and the static is just an identity NAT it doesn't even need to be there. All of the nat (inside) 1 commands will never be used due to the nat 0. The global (outside) 2 command is never used because there isn't a corresponding nat (inside) 2 and since none of the nat (inside) 1's will be used, the global (outside) 1 won't be used.
Though I must say I find the global (outside) 1 command odd since you're intending to NAT inside hosts to an inside IP on the outside subnet. It'll work as I'm guessing routing forwards it back to the PIX, just odd. But I'm unsure how routing works as your default route is going to the outside address assigned to your outside interface.
Finally, it seems like all but one of the entries on your ACL is some subnet to 192.168.5.0/24. This is a prime candidate for using object-groups.
Example
object-group network allowed-subnets
network-object 1.2.3.4.0 255.255.255.0
..... just add the other network-objects
then do
access-list inside-in permit ip object-group allowed-subnets 192.168.5.0 255.255.255.0
Then just maintain the object-group and it auto-updates the ACL. Makes ACLs easier to read and maintain.
ASKER
The version is:
Cisco Adaptive Security Appliance Software Version 9.0(1)
Device Manager Version 7.1(1)52
That is what gets me lost, the whole objects thing. I just cannot seem to wrap me head around it...
Cisco Adaptive Security Appliance Software Version 9.0(1)
Device Manager Version 7.1(1)52
That is what gets me lost, the whole objects thing. I just cannot seem to wrap me head around it...
ASKER
So I am a little unclear on what I need to change. Can you clarify?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I hope to try this in a few days. I will let you know if it works or it all breaks :-)
nat (inside) 0 0.0.0.0. 0.0.0.0 0 0
means to effectively exempt everything from NAT which means
nat (inside) 1 172.16.32.0 255.255.255.0 0 0
nat (inside) 1 172.16.35.0 255.255.255.0 0 0
don't do anything. And unless you have other interfaces also means the following does nothing.
global (outside) 1 192.168.5.5
And since there is no nat statement for id 2, the following also does nothing.
global (outside) 2 interface
So to duplicate this nat/global config on an ASA, just make sure nat-control is off (no nat-control) but it isn't even there in 8.3 anymore which means that to get the same results you don't have to do anything on your ASA and it'll work the same.
Am I missing something here?