asked on

Firewall NAT ASA with 9.1

I'm currently using an FWSM and we are migrating to the ASA with 9.1 code.

The nat is WAY different and I have some questions:

1) To do a PAT to the outside, is it just

object network TEST123
subnet x.x.x.0 255.255.255.0
nat (inside,outside) dynamic <external ip address/32>

2) To do NAT between two internal addresses:

object network TEST123
subnet x.x.x.0 255.255.255.0

object network TEST456
subnet y.y.y.0 255.255.255.0

object-group network INTERNAL
network object obj TEST123
network object obj TEST456
nat (inside,dmz) source static INTERNAL INTERNAL destination z.z.z.0 net-to-net no-proxy-arp

3) To do Static NAT to outside

object network WEBSERVER1
host z.z.z.z
nat (dmz,outside) static <External IP of host>

Then to allow access to webserver

access-list out_in extended permit tcp any host z.z.z.z eq www

Any help would be appreciated..!!! Thanks in advance

I wish Cisco would've NEVER changed this part of the IOS.. The new way is crappy and confusing....

Ken Boone

Yea.. I hate it too. I still don't see the benefits of this. If you use the gui its not really a big deal but command line gets to be a real pain. The fact that the object is listed in two different places in the config drives me nuts. So its listed near the top of the config for the definition of the host or subnet.. then its down near the bottom for the nat component.

Anyway its a whole different way of thinking about.

Here is a link to a good guide that will show you examples. This all changed when we went to 8.3.

https://supportforums.cisco.com/docs/DOC-9129

ASKER CERTIFIED SOLUTION

amatson78

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

amatson78

Thank you much for the points glad I helped.

Cheers, Alan

gbotts

ASKER

I wanted to spread the points but somehow it only added to one... Very new to this thing.. Sorry guys....