Cisco ASA NAT Migration
Since ASA version 8.3 Cisco brings a number of changes in how NAT is processed. Cisco ASA NAT migration is essential if you want to upgrade your firmware.
There are two things you need to know:
- All NAT is built around objects, this allows for IP`s to be changed and objects to be renamed much easier then previously.
- Access lists now use Real IP/Port address(s)
Cisco ASA ACL Migration
Pre 8.3 in the ACL we ware using the Mapped IP address 1.2.3.4, and After 8.3 we are using the Real IP on our server 172.16.1.120
Pre 8.3 ACL access-list acl-outside extended permit ip any host 1.2.3.4
After 8.3+ ACL access-list acl-outside extended permit ip any host 172.16.1.120
Cisco ASA NAT Migration
During my migration i found this nice examples that helped me out.
Regular Static NAT
Pre 8.3 NAT static (inside,outside) 192.168.100.100 10.1.1.6 netmask 255.255.255.255
After 8.3+ NAT object network obj-10.1.1.6 host 10.1.1.6 nat (inside,outside) static 192.168.100.100
Regular Static PAT
Pre 8.3 NAT static (inside,outside) tcp 192.168.100.100 80 10.1.1.16 8080 netmask 255.255.255.255
After 8.3+ NAT object network obj-10.1.1.16 host 10.1.1.16 nat (inside,outside) static 192.168.100.100 service tcp 8080 www
Static Policy NAT
Pre 8.3 NAT access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224 static (inside,outside) 192.168.100.100 access-list NET1
After 8.3+ NAT object network obj-10.1.2.27 host 10.1.2.27 object network obj-192.168.100.100 host 192.168.100.100 object network obj-10.76.5.0 subnet 10.76.5.0 255.255.255.224 nat (inside,outside) source static obj-10.1.2.27 obj-192.168.100.100 destination static obj-10.76.5.0 obj-10.76.5.0
Regular Dynamic PAT
Pre 8.3 NAT nat (inside) 1 192.168.1.0 255.255.255.0 nat (dmz) 1 10.1.1.0 255.255.255.0 global (outside) 1 192.168.100.100
After 8.3+ NAT object network obj-192.168.1.0 subnet 192.168.1.0 255.255.255.0 nat (inside,outside) dynamic 192.168.100.100 object network obj-10.1.1.0 subnet 10.1.1.0 255.255.255.0 nat (dmz,outside) dynamic 192.168.100.100
Regular Dynamic PAT
Pre 8.3 NAT nat (inside) 1 10.1.2.0 255.255.255.0 global (outside) 1 192.168.100.100 global (dmz) 1 192.168.1.1
After 8.3+ NAT object network obj-10.1.2.0 subnet 10.1.2.0 255.255.255.0 nat (inside,outside) dynamic 192.168.100.100 object network obj-10.1.2.0-01 subnet 10.1.2.0 255.255.255.0 nat (inside,dmz) dynamic 192.168.1.1
Regular Dynamic PAT-3
Pre 8.3 NAT nat (inside) 1 0 0 global (outside) 1 interface
After 8.3+ NAT object network obj_any subnet 0.0.0.0 0.0.0.0 nat (inside,outside) dynamic interface
Dynamic Policy NAT
Pre 8.3 NAT object-group network og-net-src network-object 192.168.1.0 255.255.255.0 network-object 192.168.2.0 255.255.255.0 object-group network og-net-dst network-object 192.168.200.0 255.255.255.0 object-group service og-ser-src service-object tcp gt 2000 service-object tcp eq 1500 access-list NET6 extended permit object-group og-ser-src object-group og-net-src object-group og-net-dst nat (inside) 10 access-list NET6 global (outside) 10 192.168.100.100
After 8.3+ NAT object network obj-192.168.100.100 host 192.168.100.100 object service obj-tcp-range-2001-65535 service tcp destination range 2001 65535 object service obj-tcp-eq-1500 service tcp destination eq 1500 nat (inside,outside) source dynamic og-net-src obj-192.168.100.100 destination static og-net-dst og-net-dst service obj-tcp-range-2001-65535 obj-tcp-range-2001-65535 nat (inside,outside) source dynamic og-net-src obj-192.168.100.100 destination static og-net-dst og-net-dst service obj-tcp-eq-1500 obj-tcp-eq-1500
Policy Dynamic NAT (with multiple ACEs)
Pre 8.3 NAT access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.1.0 255.255.255.0 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.2.0 255.255.255.0 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.3.0 255.255.255.0 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.4.0 255.255.255.0 nat (inside) 1 access-list ACL_NAT global (outside) 1 192.168.100.100
After 8.3+ NAT object network obj-172.29.0.0 subnet 172.29.0.0 255.255.0.0 object network obj-192.168.100.100 host 192.168.100.100 object network obj-192.168.1.0 subnet 192.168.1.0 255.255.255.0 object network obj-192.168.2.0 subnet 192.168.2.0 255.255.255.0 object network obj-192.168.3.0 subnet 192.168.3.0 255.255.255.0 object network obj-192.168.4.0 subnet 192.168.4.0 255.255.255.0 nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.1.0 obj-192.168.1.0 nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.2.0 obj-192.168.2.0 nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.3.0 obj-192.168.3.0 nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.4.0 obj-192.168.4.0
Outside NAT
Pre 8.3 NAT global (inside) 1 10.1.2.30-1-10.1.2.40 nat (dmz) 1 10.1.1.0 255.255.255.0 outside static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255
After 8.3+ NAT object network obj-10.1.2.27 host 10.1.2.27 nat (inside,dmz) static 10.1.1.5 object network obj-10.1.1.0 subnet 10.1.1.0 255.255.255.0 nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40 object network obj-10.1.2.30-10.1.2.40 range 10.1.2.30 10.1.2.40
NAT & Interface PAT together
Pre 8.3 NAT nat (inside) 1 10.1.2.0 255.255.255.0 global (outside) 1 interface global (outside) 1 192.168.100.100-192.168.100.200
After 8.3+ NAT object network obj-192.168.100.100_192.168.100.200 range 192.168.100.100 192.168.100.200 object network obj-10.1.2.0 subnet 10.1.2.0 255.255.255.0 nat (inside,outside) dynamic obj-192.168.100.100_192.168.100.200 interface
NAT & Interface PAT with additional PAT together
Pre 8.3 NAT nat (inside) 1 10.0.0.0 255.0.0.0 global (outside) 1 192.168.100.1-192.168.100.200 global (outside) 1 interface global (outside) 1 192.168.100.210
After 8.3+ NAT object network obj-192.168.100.100_192.168.100.200 range 192.168.100.100 192.168.100.200 object network obj-10.0.0.0 subnet 10.0.0.0 255.0.0.0 object network second-pat host 192.168.100.210 object-group network dynamic-nat-pat network-object object obj-192.168.100.100_192.168.100.200 network-object object second-pat nat (inside,outside) dynamic dynamic-nat-pat interface
Static NAT for a Range of Ports
Pre 8.3 NAT Not Possible - Need to write multiple Statements or perform a Static one-to-one NAT
After 8.3+ NAT (in) (out) 10.1.1.1-------ASA-------xlate-------> 10.2.2.2 Original Ports: 10000 - 10010 Translated ports: 20000 - 20010 object service ports service tcp source range 10000 10010 object service ports-xlate service tcp source range 20000 20010 object network server host 10.1.1.1 object network server-xlate host 10.2.2.2 nat (inside,outside) source static server server-xlate service ports ports-xlate
Cisco ASA: http://www.cisco.com/en/US/products/ps6120/index.html
Subscribe
0 Comments