Cisco ASA 8.3 Command Changes
Issue: Cisco ASA 8.3 Command Changes
Affects: Cisco ASA version 8.3 and PIX version &
Solutions to the issue:
Contents |
Main Changes
The main changes are on the NAT / Global / Access-List commands.
Basically there is no more global command, and we are now a lot more reliant on object groups.
If you are port forwarding (Static PAT) then the dns re-write will no longer work.
NAT 0 (or no nat) no longer exists. For example:
1. Regular PAT – 1 External IP to many internal IP addresses
- Before 8.3 version
nat (inside) 1 0 0
global (outside) 1 interface
- 8.3 version
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
2. Static : PAT (Port Forwarding)
- Before 8.3 version
access-list inbound extended permit tcp any interface outside eq smtp
access-list inbound extended permit tcp any interface outside eq www
static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255
- 8.3 version
access-list inbound extended permit tcp any object obj-192.168.1.10-01 eq smtp
access-list inbound extended permit tcp any object obj-192.168.1.10 eq www
object network obj-192.168.1.10
host 192.168.1.10
object network obj-192.168.1.10-01
host 192.168.1.10
object network obj-192.168.1.10
nat (inside,outside) static interface service tcp www www
object network obj-192.168.1.10-01
nat (inside,outside) static interface service tcp smtp smtp
3. No NAT (seen mainly – but not always – on VPN traffic)
- Before 8.3 version
nat (inside) 0 access-list EXEMPT
access-list EXEMPT extended permit ip 192.168.1.0 255.255.255.0 66.67.70.0 255.255.255.0
- 8.3 version
object network obj-192.168.1.10
subnet 192.168.1.10 255.255.255.0
object network obj-66.67.70.0
subnet 66.67.70.0 255.255.255.0
nat (inside,any) source static obj-192.168.1.10.0 obj-192.168.1.10.0 destination static obj-66.67.70.0 obj-66.67.70.0
4. Access Lists
For as long as I can remember when you allowed access to an IP address on a PIX/ASA you allowed access to its translated IP address, NOW YOU DO NOT, you allow access to its “Pre-translation address”
- Before 8.3 version
access-list inbound extended permit tcp any host 123.123.123.123 eq www
access-group inbound in interface outside
static (inside,outside) tcp 123.123.123.123 www 10.254.254.5 www netmask 255.255.255.255
- 8.3 version
access-list inbound extended permit tcp any object obj-10.254.254.5
access-group inbound in interface outside
object network obj-10.254.254.5
host 10.254.254.5
nat (inside,outside) static 123.123.123.123 service tcp www www
References – Credits – Or External Links Cisco ASA 5500 Migration Guide for Version 8.3
Note that if you want to upgrade your asa to version 8.3, your current configuration will be migrated by the IP migrating tool from cisco.
Warning
If an access-list used by these features is shared with per-user ACL
then the original access-list has to be recreated.
INFO: Note that identical IP addresses or overlapping IP ranges on
different interfaces are not detectable by automated Real IP migration.
If your deployment contains such scenarios, please verify your migrated
configuration is appropriate for those overlapping addresses/ranges.
Please also refer to the ASA 8.3 migration guide for a complete
explanation of the automated migration process.
Date of last update: 5-24-10
Author: Gaetan Barthelemy
