Options
NAT / PAT config conversion from PIX v6 to ASA Software 8.3 and above
malcybood
Member Posts: 900 ■■■□□□□□□□
Hi folks,
I'm currently working on converting some PIX firewall configs to ASA, ahead of the kit arriving with the customer and I don't have a lab ASA to test this on.
Everything seems straight forward except NAT is implemented differently on 8.3 and I'm used to doing NAT in ASDM so just working this out. The scenario that the PIX has 3 NAT groups which are mapped to 3 separate addresses, where multiple hosts are behint the NAT / PAT. Current config of the PIX is as follows:
global (outside) 1 10.50.50.38
global (outside) 2 10.50.50.39
global (outside) 3 10.50.50.49
nat (inside) 0 access-list no-nat-all
nat (inside) 2 Host_1 255.255.255.255 0 0
nat (inside) 2 Host_2 255.255.255.255 0 0
nat (inside) 2 Host_3 255.255.255.255 0 0
nat (inside) 1 Host_4 255.255.255.255 0 0
nat (inside) 1 Host_5 255.255.255.255 0 0
nat (inside) 1 Host_6 255.255.255.255 0 0
nat (inside) 1 Host_7 255.255.255.255 0 0
nat (inside) 3 Network_3 255.255.255.0 0 0
ASA Config
I'm looking at changing it to the following in ASA software version 8.3 to the following - can anyone sanity check as I wont get the device until I'm on the customer site? Also is it easier to just do this in ASDM? Looks pretty easy from youtube videos but rather have something to put on the box when I arrive at site NAT wise as opposed to working it out there!
############
Define NAT Objects (outside IP addreses)
############
object network NAT_1_outside_10.50.50.38
host 10.50.50.38
object network NAT_2_outside_10.50.50.39
host 10.50.50.39
object network NAT_3_outside_10.50.50.49
host 10.50.50.49
exit
############
Define NAT Objects (inside IP addreses)
############
object-group network NAT_1_Objects
network-object Host_4 255.255.255.255
network-object Host_5 255.255.255.255
network-object Host_6 255.255.255.255
network-object Host_7 255.255.255.255
nat (inside,outside) dynamic NAT_1_outside_10.50.50.38
object-group network NAT_2_Objects
network-object Host_1 255.255.255.255
network-object Host_2 255.255.255.255
network-object Host_3 255.255.255.255
nat (inside,outside) dynamic NAT_2_outside_10.50.50.39
object-group network NAT_3_Objects
network-object Network_1 255.255.255.0
nat (inside,outside) dynamic NAT_3_outside_10.50.50.49
cheers
I'm currently working on converting some PIX firewall configs to ASA, ahead of the kit arriving with the customer and I don't have a lab ASA to test this on.
Everything seems straight forward except NAT is implemented differently on 8.3 and I'm used to doing NAT in ASDM so just working this out. The scenario that the PIX has 3 NAT groups which are mapped to 3 separate addresses, where multiple hosts are behint the NAT / PAT. Current config of the PIX is as follows:
global (outside) 1 10.50.50.38
global (outside) 2 10.50.50.39
global (outside) 3 10.50.50.49
nat (inside) 0 access-list no-nat-all
nat (inside) 2 Host_1 255.255.255.255 0 0
nat (inside) 2 Host_2 255.255.255.255 0 0
nat (inside) 2 Host_3 255.255.255.255 0 0
nat (inside) 1 Host_4 255.255.255.255 0 0
nat (inside) 1 Host_5 255.255.255.255 0 0
nat (inside) 1 Host_6 255.255.255.255 0 0
nat (inside) 1 Host_7 255.255.255.255 0 0
nat (inside) 3 Network_3 255.255.255.0 0 0
ASA Config
I'm looking at changing it to the following in ASA software version 8.3 to the following - can anyone sanity check as I wont get the device until I'm on the customer site? Also is it easier to just do this in ASDM? Looks pretty easy from youtube videos but rather have something to put on the box when I arrive at site NAT wise as opposed to working it out there!
############
Define NAT Objects (outside IP addreses)
############
object network NAT_1_outside_10.50.50.38
host 10.50.50.38
object network NAT_2_outside_10.50.50.39
host 10.50.50.39
object network NAT_3_outside_10.50.50.49
host 10.50.50.49
exit
############
Define NAT Objects (inside IP addreses)
############
object-group network NAT_1_Objects
network-object Host_4 255.255.255.255
network-object Host_5 255.255.255.255
network-object Host_6 255.255.255.255
network-object Host_7 255.255.255.255
nat (inside,outside) dynamic NAT_1_outside_10.50.50.38
object-group network NAT_2_Objects
network-object Host_1 255.255.255.255
network-object Host_2 255.255.255.255
network-object Host_3 255.255.255.255
nat (inside,outside) dynamic NAT_2_outside_10.50.50.39
object-group network NAT_3_Objects
network-object Network_1 255.255.255.0
nat (inside,outside) dynamic NAT_3_outside_10.50.50.49
cheers