PeteNetLive - KB0000247 - Cisco PIX/ASA 8.3 Command Changes {NAT / Global / Access-List}


	KB	0000247
	Dated	10/05/10
	Revision	0.05

Cisco PIX/ASA 8.3 Command Changes {NAT / Global / Access-List}

Problem
I posted to a forum the other day, the poster had a problem with their VPN, basically my response was, "Your Nat statements look bizarre - what is this config from?". At this point I realised 8.3 had brought in some syntax changes. There are quite a few changes with the OS, this will touch on the things that I see on my clients firewalls so all eventualities are NOT covered. the main areas of change are NAT/PAT. Warning: Before upgrading to version 8.3 (or newer) check you have enough RAM.
Solution
No More NAT and Global commands. Basically there is no more global command, and we are now a lot more reliant on object groups. If you are port forwarding (Static PAT) then the dns re-write will no longer work. NAT 0 (or no nat) no longer exists.
OLD - Regular PAT - 1 External IP to many internal IP addresses nat (inside) 1 0 0 global (outside) 1 interface NEW - Regular PAT - 1 External IP to many internal IP addresses object network obj_any subnet 0.0.0.0 0.0.0.0 nat (inside,outside) dynamic interface
OLD - Static PAT (Port Forwarding) access-list inbound extended permit tcp any interface outside eq smtp access-list inbound extended permit tcp any interface outside eq www access-list inbound extended permit tcp any interface outside eq 3389 static (inside,outside) tcp interface www 10.254.254.5 www netmask 255.255.255.255 static (inside,outside) tcp interface smtp 10.254.254.5 smtp netmask 255.255.255.255 static (inside,outside) tcp interface 3389 10.254.254.5 3389 netmask 255.255.255.255 NEW - Static PAT (Port Forwarding) access-list inbound extended permit tcp any object obj-10.254.254.5 eq smtp access-list inbound extended permit tcp any object obj-10.254.254.5 eq www access-list inbound extended permit tcp any object obj-10.254.254.5 eq 3389 object network obj-10.254.254.5 host 10.254.254.5 object network obj-10.254.254.5-01 host 10.254.254.5 object network obj-10.254.254.5-02 host 10.254.254.5 object network obj-10.254.254.5 nat (inside,outside) static interface service tcp www www
OLD - No NAT (seen mainly - but not always - on VPN traffic) nat (inside) 0 access-list EXEMPT access-list EXEMPT extended permit ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0 NEW - No NAT object network obj-10.254.254.0 subnet 10.254.254.0 255.255.255.0 object network obj-172.16.254.0 subnet 172.16.254.0 255.255.255.0 nat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-172.16.254.0 obj-172.16.254.0 Note: For a full walkthorugh on configuring VPNs with ASA version 8.3 and above see the following article: Cisco ASA Site to Site VPN from CLI
Access Lists For as long as I can remember when you allowed access to an IP address on a PIX/ASA you allowed access to its translated IP address, NOW YOU DO NOT, you allow access to its "Pre-translation address"
OLD Access List and Static NAT access-list inbound extended permit ip any host 123.123.123.123 eq www access-group inbound in interface outside static (inside,outside) 123.123.123.123 10.254.254.5 netmask 255.255.255.255 NEW Access List and Static NAT access-list inbound extended permit ip any host 10.254.254.5 access-group inbound in interface outside object network obj-10.254.254.5 host 10.254.254.5 nat (inside,outside) static 123.123.123.123
*If this post helped you, PLEASE take the time to +1 it.* Please be aware, all information is provided free, but it does cost me to have this site hosted, if I've helped you in any way, or saved you some time/cost please take time to make a donation. If you have anything to add to an article, or have an article you would like us to publish please feel free to contact PeteNetLive. (Please be aware I get a LOT of email, I cannot assist and fix everyone's problems, please do not be offended if you do not get a response).
References - Credits - Or External Links
ASA - Memory Error (Post upgrade to version 8.3)

powered by
Socialbar