Issue: Cisco ASA 8.3 Command Changes

Affects: Cisco ASA version 8.3 and PIX version &

Solutions to the issue:

Contents 1 Main Changes 2 1. Regular PAT – 1 External IP to many internal IP addresses 3 2. Static : PAT (Port Forwarding) 4 3. No NAT (seen mainly – but not always – on VPN traffic) 5 4. Access Lists

Main Changes

The main changes are on the NAT / Global / Access-List commands.

Basically there is no more global command, and we are now a lot more reliant on object groups.

If you are port forwarding (Static PAT) then the dns re-write will no longer work.

NAT 0 (or no nat) no longer exists. For example:

1. Regular PAT – 1 External IP to many internal IP addresses

- Before 8.3 version

nat (inside) 1 0 0

global (outside) 1 interface

- 8.3 version

object network obj_any

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

2. Static : PAT (Port Forwarding)

- Before 8.3 version

access-list inbound extended permit tcp any interface outside eq smtp

access-list inbound extended permit tcp any interface outside eq www

static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255

- 8.3 version

access-list inbound extended permit tcp any object obj-192.168.1.10-01 eq smtp

access-list inbound extended permit tcp any object obj-192.168.1.10 eq www

object network obj-192.168.1.10

host 192.168.1.10

object network obj-192.168.1.10-01

host 192.168.1.10

object network obj-192.168.1.10

nat (inside,outside) static interface service tcp www www

object network obj-192.168.1.10-01

nat (inside,outside) static interface service tcp smtp smtp

3. No NAT (seen mainly – but not always – on VPN traffic)

- Before 8.3 version

nat (inside) 0 access-list EXEMPT

access-list EXEMPT extended permit ip 192.168.1.0 255.255.255.0 66.67.70.0 255.255.255.0

- 8.3 version

object network obj-192.168.1.10

subnet 192.168.1.10 255.255.255.0

object network obj-66.67.70.0

subnet 66.67.70.0 255.255.255.0

nat (inside,any) source static obj-192.168.1.10.0 obj-192.168.1.10.0 destination static obj-66.67.70.0 obj-66.67.70.0

4. Access Lists

For as long as I can remember when you allowed access to an IP address on a PIX/ASA you allowed access to its translated IP address, NOW YOU DO NOT, you allow access to its “Pre-translation address”

- Before 8.3 version

access-list inbound extended permit tcp any host 123.123.123.123 eq www

access-group inbound in interface outside

static (inside,outside) tcp 123.123.123.123 www 10.254.254.5 www netmask 255.255.255.255

- 8.3 version

access-list inbound extended permit tcp any object obj-10.254.254.5

access-group inbound in interface outside

object network obj-10.254.254.5

host 10.254.254.5

nat (inside,outside) static 123.123.123.123 service tcp www www

References – Credits – Or External Links Cisco ASA 5500 Migration Guide for Version 8.3

Note that if you want to upgrade your asa to version 8.3, your current configuration will be migrated by the IP migrating tool from cisco.

Warning

If an access-list used by these features is shared with per-user ACL

then the original access-list has to be recreated.

INFO: Note that identical IP addresses or overlapping IP ranges on

different interfaces are not detectable by automated Real IP migration.

If your deployment contains such scenarios, please verify your migrated

configuration is appropriate for those overlapping addresses/ranges.

Please also refer to the ASA 8.3 migration guide for a complete

explanation of the automated migration process.

Date of last update: 5-24-10

Author: Gaetan Barthelemy