Solved

Exemption in ASA 8.4

Posted on 2014-04-20
4
649 Views
Last Modified: 2014-04-22
Hi Expert
Here is a ASA 8.4 exemption question.

As we know, in the earlier version of it, it’s NAT and Global commands is like this:
#nat (inside) 0 192.168.1.0 255.255.255.0
#global (outside) 0 1.1.1.0 255.255.255.252

In ASA 8.4, it looks like this:
#object network Local
  subnet 192.168.1.0 255.255.255.0
  nat (inside,outside) dynamic 1.1.1.0 255.255.255.252

In earlier version, we can use “0” for exemption, but in ASA 8.4 I cannot figure out how to exempt the net. Anyone can give some suggestion ? Thank you.
0
Comment
Question by:EESky
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 6

Assisted Solution

by:Hassan Besher
Hassan Besher earned 250 total points
ID: 40012049
Here is a sample:

object network LOCAL_LAN
subnet 192.168.0.0 255.255.0.0
object network REMOTE_LAN
subnet 172.16.0.0 255.255.0.0

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 250 total points
ID: 40013305
0
 

Author Closing Comment

by:EESky
ID: 40016676
Excellent link, thank you !
0
 

Author Comment

by:EESky
ID: 40016680
Cisco PIX/ASA 8.3 Command Changes
{NAT / Global / Access-List}

KB ID 0000247 Dtd 10/05/10

Problem

I posted to a forum the other day, the poster had a problem with their VPN, basically my response was, "Your Nat statements look bizarre - what is this config from?". At this point I realised 8.3 had brought in some syntax changes. There are quite a few changes with the OS, this will touch on the things that I see on my clients firewalls so all eventualities are NOT covered. the main areas of change are NAT/PAT.

Warning: Before upgrading to version 8.3 (or newer) check you have enough RAM.

Solution

No More NAT and Global commands.

Basically there is no more global command, and we are now a lot more reliant on object groups.

If you are port forwarding (Static PAT) then the dns re-write will no longer work.

NAT 0 (or no nat) no longer exists.

OLD - Regular PAT - 1 External IP to many internal IP addresses

nat (inside) 1 0 0
global (outside) 1 interface
NEW - Regular PAT - 1 External IP to many internal IP addresses

object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
OLD - Static PAT (Port Forwarding)

access-list inbound extended permit tcp any interface outside eq smtp
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq 3389
static (inside,outside) tcp interface www 10.254.254.5 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.254.254.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.254.254.5 3389 netmask 255.255.255.255
NEW - Static PAT (Port Forwarding)

access-list inbound extended permit tcp any object obj-10.254.254.5 eq smtp
access-list inbound extended permit tcp any object obj-10.254.254.5 eq www
access-list inbound extended permit tcp any object obj-10.254.254.5 eq 3389
object network obj-10.254.254.5
host 10.254.254.5
object network obj-10.254.254.5-01
host 10.254.254.5
object network obj-10.254.254.5-02
host 10.254.254.5
object network obj-10.254.254.5
nat (inside,outside) static interface service tcp www www
OLD - No NAT (seen mainly - but not always - on VPN traffic)

nat (inside) 0 access-list EXEMPT
access-list EXEMPT extended permit ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0
NEW - No NAT

object network obj-10.254.254.0
subnet 10.254.254.0 255.255.255.0
object network obj-172.16.254.0
subnet 172.16.254.0 255.255.255.0
nat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-172.16.254.0 obj-172.16.254.0
Note: For a full walkthorugh on configuring VPNs with ASA version 8.3 and above see the following article:

Cisco ASA Site to Site VPN from CLI

Access Lists

For as long as I can remember when you allowed access to an IP address on a PIX/ASA you allowed access to its translated IP address, NOW YOU DO NOT, you allow access to its "Pre-translation address.

OLD Access List and Static NAT

access-list inbound extended permit ip any host 123.123.123.123 eq www
access-group inbound in interface outside
static (inside,outside) 123.123.123.123 10.254.254.5 netmask 255.255.255.255
NEW Access List and Static NAT

access-list inbound extended permit ip any host 10.254.254.5
access-group inbound in interface outside
object network obj-10.254.254.5
host 10.254.254.5
nat (inside,outside) static 123.123.123.123
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month7 days, 18 hours left to enroll

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question