Cisco ASA Cleanup

I've been cleaning up my ASA after an old admin, and found a couple of lines that stumped me. I'd say I'm average on the CISCO stuff although I use ASDM instead of command line for most stuff, but I'll dump the CLI here for simplicity sake. I'm pretty sure both of these are just default interface access stuff, but would like some clarification.

First is this
object network obj_any-03
 nat (inside,outside) dynamic obj-0.0.0.0
 

Open in new window

obj_any-03 is a network object IP 0.0.0.0 mask 0.0.0.0

Second is this
object network obj-192.168.0.0
 nat (inside,outside) dynamic interface

Open in new window

obj-192.168.0.0 is a network object 192.168.0.0 255.255.255.0 (which is the internal interface).
bhiebAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

InteraXCommented:
object network obj_any-03
 nat (inside,outside) dynamic obj-0.0.0.0

Open in new window


This translates the source address of anything arriving on the inside interface to the contents of object obj-0.0.0.0 when leaving the outside interface

object network obj-192.168.0.0
 nat (inside,outside) dynamic interface 

Open in new window


This translates the source address of traffic with a source address in 192.168.0.0/24 arriving on the inside interface to the outside interface IP address when leaving the outside interface
0
bhiebAuthor Commented:
So is it necessary to have both? I ordered these two incorrectly, so since everything internally is on 192.168.0.0/24 it is getting translated to the outside IP, and the next rule is really not getting applied. Any reason not to just set it to 0.0.0.0 0.0.0.0 translated to outside IP? What is the best practice here?
0
InteraXCommented:
Depends on the order they are applied in the NAT table. Have you tried issuing a sh nat command to see which one gets applied first?

I should also mention that I never use network object NAT. Twice NAT is MUCH more flexible.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

bhiebAuthor Commented:
These are the last 2 rules, and 192.168.0.0/24 is getting applied first. My question is should I just ditch that and change it to 0.0.0.0 0.0.0.0 (aka ANY) to OUTSIDE.

Seems like the goal here is to mask the internal IP so  really only one or the other is necessary. Problem is I'm prepping to change the subnet to 192.168.0.0/23 to get mor IP's and just want to know best practice regarding this.

Doing ANY --> OUTSIDE seems logical, but is that the best practice (last NAT rule of course).
0
InteraXCommented:
There isn't really a best practice. It does sound like one is redundant. What is the content of obj-0.0.0.0
0
bhiebAuthor Commented:
obj-0.0.0.0 is a host object IP address 0.0.0.0

Seems like old and out of date (no surprise this config has been upgraded since PIX days), and the last admin did no cleanup. Think I'll just use the 192.168.0.0/24 rule and modify it to either reflect the new /23.
0
bhiebAuthor Commented:
And obj-0.0.0.0 is only used in this nat rule. I think it is safe to nuke it, with backup of course  :)
0
InteraXCommented:
Sounds like a sensible setup. Personally, I would change these to a twice NAT rule.

These are much more flexible and you can change the order a lot easier.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bhiebAuthor Commented:
I'll look into it thanks!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.