Solved

Exemption in ASA 8.4

Posted on 2014-04-20
4
644 Views
Last Modified: 2014-04-22
Hi Expert
Here is a ASA 8.4 exemption question.

As we know, in the earlier version of it, it’s NAT and Global commands is like this:
#nat (inside) 0 192.168.1.0 255.255.255.0
#global (outside) 0 1.1.1.0 255.255.255.252

In ASA 8.4, it looks like this:
#object network Local
  subnet 192.168.1.0 255.255.255.0
  nat (inside,outside) dynamic 1.1.1.0 255.255.255.252

In earlier version, we can use “0” for exemption, but in ASA 8.4 I cannot figure out how to exempt the net. Anyone can give some suggestion ? Thank you.
0
Comment
Question by:EESky
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 6

Assisted Solution

by:Hassan Besher
Hassan Besher earned 250 total points
ID: 40012049
Here is a sample:

object network LOCAL_LAN
subnet 192.168.0.0 255.255.0.0
object network REMOTE_LAN
subnet 172.16.0.0 255.255.0.0

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 250 total points
ID: 40013305
0
 

Author Closing Comment

by:EESky
ID: 40016676
Excellent link, thank you !
0
 

Author Comment

by:EESky
ID: 40016680
Cisco PIX/ASA 8.3 Command Changes
{NAT / Global / Access-List}

KB ID 0000247 Dtd 10/05/10

Problem

I posted to a forum the other day, the poster had a problem with their VPN, basically my response was, "Your Nat statements look bizarre - what is this config from?". At this point I realised 8.3 had brought in some syntax changes. There are quite a few changes with the OS, this will touch on the things that I see on my clients firewalls so all eventualities are NOT covered. the main areas of change are NAT/PAT.

Warning: Before upgrading to version 8.3 (or newer) check you have enough RAM.

Solution

No More NAT and Global commands.

Basically there is no more global command, and we are now a lot more reliant on object groups.

If you are port forwarding (Static PAT) then the dns re-write will no longer work.

NAT 0 (or no nat) no longer exists.

OLD - Regular PAT - 1 External IP to many internal IP addresses

nat (inside) 1 0 0
global (outside) 1 interface
NEW - Regular PAT - 1 External IP to many internal IP addresses

object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
OLD - Static PAT (Port Forwarding)

access-list inbound extended permit tcp any interface outside eq smtp
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq 3389
static (inside,outside) tcp interface www 10.254.254.5 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.254.254.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.254.254.5 3389 netmask 255.255.255.255
NEW - Static PAT (Port Forwarding)

access-list inbound extended permit tcp any object obj-10.254.254.5 eq smtp
access-list inbound extended permit tcp any object obj-10.254.254.5 eq www
access-list inbound extended permit tcp any object obj-10.254.254.5 eq 3389
object network obj-10.254.254.5
host 10.254.254.5
object network obj-10.254.254.5-01
host 10.254.254.5
object network obj-10.254.254.5-02
host 10.254.254.5
object network obj-10.254.254.5
nat (inside,outside) static interface service tcp www www
OLD - No NAT (seen mainly - but not always - on VPN traffic)

nat (inside) 0 access-list EXEMPT
access-list EXEMPT extended permit ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0
NEW - No NAT

object network obj-10.254.254.0
subnet 10.254.254.0 255.255.255.0
object network obj-172.16.254.0
subnet 172.16.254.0 255.255.255.0
nat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-172.16.254.0 obj-172.16.254.0
Note: For a full walkthorugh on configuring VPNs with ASA version 8.3 and above see the following article:

Cisco ASA Site to Site VPN from CLI

Access Lists

For as long as I can remember when you allowed access to an IP address on a PIX/ASA you allowed access to its translated IP address, NOW YOU DO NOT, you allow access to its "Pre-translation address.

OLD Access List and Static NAT

access-list inbound extended permit ip any host 123.123.123.123 eq www
access-group inbound in interface outside
static (inside,outside) 123.123.123.123 10.254.254.5 netmask 255.255.255.255
NEW Access List and Static NAT

access-list inbound extended permit ip any host 10.254.254.5
access-group inbound in interface outside
object network obj-10.254.254.5
host 10.254.254.5
nat (inside,outside) static 123.123.123.123
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question