Solved

Exemption in ASA 8.4

Posted on 2014-04-20
4
635 Views
Last Modified: 2014-04-22
Hi Expert
Here is a ASA 8.4 exemption question.

As we know, in the earlier version of it, it’s NAT and Global commands is like this:
#nat (inside) 0 192.168.1.0 255.255.255.0
#global (outside) 0 1.1.1.0 255.255.255.252

In ASA 8.4, it looks like this:
#object network Local
  subnet 192.168.1.0 255.255.255.0
  nat (inside,outside) dynamic 1.1.1.0 255.255.255.252

In earlier version, we can use “0” for exemption, but in ASA 8.4 I cannot figure out how to exempt the net. Anyone can give some suggestion ? Thank you.
0
Comment
Question by:EESky
  • 2
4 Comments
 
LVL 6

Assisted Solution

by:Hassan Besher
Hassan Besher earned 250 total points
Comment Utility
Here is a sample:

object network LOCAL_LAN
subnet 192.168.0.0 255.255.0.0
object network REMOTE_LAN
subnet 172.16.0.0 255.255.0.0

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 250 total points
Comment Utility
0
 

Author Closing Comment

by:EESky
Comment Utility
Excellent link, thank you !
0
 

Author Comment

by:EESky
Comment Utility
Cisco PIX/ASA 8.3 Command Changes
{NAT / Global / Access-List}

KB ID 0000247 Dtd 10/05/10

Problem

I posted to a forum the other day, the poster had a problem with their VPN, basically my response was, "Your Nat statements look bizarre - what is this config from?". At this point I realised 8.3 had brought in some syntax changes. There are quite a few changes with the OS, this will touch on the things that I see on my clients firewalls so all eventualities are NOT covered. the main areas of change are NAT/PAT.

Warning: Before upgrading to version 8.3 (or newer) check you have enough RAM.

Solution

No More NAT and Global commands.

Basically there is no more global command, and we are now a lot more reliant on object groups.

If you are port forwarding (Static PAT) then the dns re-write will no longer work.

NAT 0 (or no nat) no longer exists.

OLD - Regular PAT - 1 External IP to many internal IP addresses

nat (inside) 1 0 0
global (outside) 1 interface
NEW - Regular PAT - 1 External IP to many internal IP addresses

object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
OLD - Static PAT (Port Forwarding)

access-list inbound extended permit tcp any interface outside eq smtp
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq 3389
static (inside,outside) tcp interface www 10.254.254.5 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.254.254.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.254.254.5 3389 netmask 255.255.255.255
NEW - Static PAT (Port Forwarding)

access-list inbound extended permit tcp any object obj-10.254.254.5 eq smtp
access-list inbound extended permit tcp any object obj-10.254.254.5 eq www
access-list inbound extended permit tcp any object obj-10.254.254.5 eq 3389
object network obj-10.254.254.5
host 10.254.254.5
object network obj-10.254.254.5-01
host 10.254.254.5
object network obj-10.254.254.5-02
host 10.254.254.5
object network obj-10.254.254.5
nat (inside,outside) static interface service tcp www www
OLD - No NAT (seen mainly - but not always - on VPN traffic)

nat (inside) 0 access-list EXEMPT
access-list EXEMPT extended permit ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0
NEW - No NAT

object network obj-10.254.254.0
subnet 10.254.254.0 255.255.255.0
object network obj-172.16.254.0
subnet 172.16.254.0 255.255.255.0
nat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-172.16.254.0 obj-172.16.254.0
Note: For a full walkthorugh on configuring VPNs with ASA version 8.3 and above see the following article:

Cisco ASA Site to Site VPN from CLI

Access Lists

For as long as I can remember when you allowed access to an IP address on a PIX/ASA you allowed access to its translated IP address, NOW YOU DO NOT, you allow access to its "Pre-translation address.

OLD Access List and Static NAT

access-list inbound extended permit ip any host 123.123.123.123 eq www
access-group inbound in interface outside
static (inside,outside) 123.123.123.123 10.254.254.5 netmask 255.255.255.255
NEW Access List and Static NAT

access-list inbound extended permit ip any host 10.254.254.5
access-group inbound in interface outside
object network obj-10.254.254.5
host 10.254.254.5
nat (inside,outside) static 123.123.123.123
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now