Problems importing pre 8.3 ASA dynamic NAT

  • lightofgood

    lightofgood - 2011-12-02


    Does anybody have problems importing pre 8.3 ASA dynamic NAT configurations into FWBuilder?
    The static NAT configuration can be imported fine, but it seems the importer doesn't recognize dynamic NAT configurations and hence silently ignores them during the import process

    FWbuilder doesn't import the following NAT configuartions:

    1. Dynamic PAT
      nat (inside) 1 0 0
    global (outside) 1 interface

    2. Dynamic Policy NAT
    object-group network og-net-src
    object-group network og-net-dst
    object-group service og-ser-src
       service-object tcp gt 2000
       service-object tcp eq 1500
    access-list NET6 extended permit object-group og-ser-src
                      object-group og-net-src object-group og-net-dst
    nat (inside) 10 access-list NET6
    global (outside) 10

    3. Outside NAT
    Outside NAT
    global (inside) 1
    nat (dmz) 1 outside
    static (inside,dmz) netmask

    4. NAT and interface PAT together
    nat (inside) 1
    global (outside) 1 interface
    global (outside) 1

    5. NAT exemption

    More examples and details can be found on


  • Vadim Kurland

    Vadim Kurland - 2011-12-02

    ASA 8.3 has new format of the nat commands and (as far as I know) does not use global/nat/static commands anymore. Fwbuilder does not support import of the "new" nat commands yet, so if the configuration file you are trying to import says "ASA Version 8.3" at the top, fwbuilder won't import nat configuration. It can however import global/nat/static commands if the version is <8.3

  • lightofgood

    lightofgood - 2011-12-05

    Yes you're correct in that the old 8.2 global/nat/static commands aren't used the same way in version 8.3. In fact the link I've given you shows a list of version 8.2 CLI's on the left column, and the equivalent CLI in version 8.3

    However, the example CLI's I referenced in my post are all old version 8.2 CLI's. The static nat commands get imported correctly, but the different flavors of nat CLI's I've listed above do not get imported at all.

    For example this version 8.2 nat command doesn't get imported.
    nat (inside) 1 0 0
    global (outside) 1 interface

  • Vadim Kurland

    Vadim Kurland - 2011-12-05

    You are right, there is a problem with import of this specific "nat" command, it expects an ip address or access-list reference in the nat command where you have "0 0".   It can import "global (outside) 1 interface" correctly .

  • lightofgood

    lightofgood - 2011-12-05

    I've tried it with
    nat (inside) 1
    global (outside) 1 interface

    There's no parser errors while importing, but after the import, the firewall builder GUI doesn't show any entries under the NAT tab.

  • Vadim Kurland

    Vadim Kurland - 2011-12-06

    the last configuration should work. Could you send the config file you are trying to import to me ?

  • lightofgood

    lightofgood - 2011-12-06

    ASA Version 8.2(1)

    !-- Configure the outside interface.

    interface eth1
    nameif outside
    security-level 0
    ip address
    !-- Configure the inside interface.
    interface eth2
    nameif inside
    security-level 100
    ip address
    ! NAT's
    nat (inside) 1
    global (outside) 1 interface
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ! Allow ssh
    access-list my-acl extended permit tcp any host eq 22 log
    ! Disable tftp
    access-list my-acl extended permit udp any host eq 69
    ! Default allow of rest
    access-list my-acl extended permit ip any any
    access-group my-acl in interface outside
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    : end

  • Vadim Kurland

    Vadim Kurland - 2011-12-06

    please change the order of "global" and "nat" commands. Command "nat" refers to the global pool so the parser expects to have the definition of the pool when it sees reference to it

  • lightofgood

    lightofgood - 2011-12-06

    Thanks vkurland! Switching the global and nat order works.

    I've verified cases 1-4 with the new ordering and they all work.

    The only exception is case #3 where the outside keyword is present.
    Outside NAT global (inside) 1 nat (dmz) 1 outside static (inside,dmz) netmask

    If you remove the outside keyword, then it'll import as expected. The use of outside NAT is documented in It's essentially like a regular NAT from inside->outside but in the reverse direction, where now you're hiding the outside address from the inside network.

    I've also seems that you can't import NAT exceptions:
    access-list EXEMPT permit ip any
    global (inside) 1
    nat (dmz) 1
    nat (dmz) 0 access-list EXEMPT

  • Vadim Kurland

    Vadim Kurland - 2011-12-06

    "nat outside" can be imported if it looks like this:

    nat (dmz) 2 outside 1000

    parser expects another parameter that defines maximum number of connections. This is probably a mistake as this parameter is optional, I'll fix it.

    you are right, nat exemption import does not work right now


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks