Posted by The blogging Desk on Mon, Nov 08, 2010
- by Chad, "The Machine", Weaver
Alright, I think I have had enough time to wrap my head around the changes to the ASA code in the newest release to share with you some of the massive changes. The newest release is any code version 8.3 and higher. I’ve been configuring ASA, PIX firewalls, and Cisco routers so it took me a little bit of time to get the differences in structure between the ASA and PIX vs. Routers.
I had a great grasp on the concepts thanks to my time invested in those routers. When you work for a top notch IT Support company serving the Philadelphia area, these things come in handy. But, in this new release there is a curve ball when it comes to NAT. These changes are going to make it a little tough going in the transition, but I think as everyone gets used to this new way of doing things it will be second nature again very soon. Plus, I want to provide a few examples of the old way vs. the new way to get you started. One last thing before I jump in to some examples, if you’re planning on upgrading from 8.2 or below to 8.3 be advised there is a greater memory requirement that some ASAs sold previously will need to be upgraded to meet.
I want to give a quick explanation on the new way of doing things before we jump in to some details and basic examples. The way we configure NAT now involves creating network objects in the object to define network objects, and using the NAT keyword to create the translation. This is done directly in the network object configuration rather than in the global configuration as was the previous way.
Examples:
For the first example I want to go over the standard NAT for your inside addresses to a single public address, or a dynamic PAT.
The old commands looked something like this.
Hostname(config#)Global (outside) 1 1.1.1.1
Hostname(config#)Nat (inside) 1 192.168.1.0 255.255.255.0
This would translate the inside addresses of 192.168.1.0/24 to 1.1.1.1
New commands:
hostname(config)# object network Inside-nat-object
hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic 1.1.1.1
These commands do produce the same result but as you can see where the configuration for “nat” is made is also quite different, versus 8.2
Let’s not forget an example of interface overload, or dynamic PAT using the outside interface.
hostname(config)# object network Inside-nat-object
hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic interface
Same basic idea here, define what you are translating then using the nat keyword define how to translate.
Next let’s take a look at a couple static NAT and PAT commands for different uses, and that should cover most basic configuration needs to get you started. I may do a follow up post with a much more in-depth look at some of the more advanced configurations.
Example:
To map a single host IP to an external IP through a static NAT used to look like this.
Static (inside,outside) 192.168.1.2 1.1.1.2 netmask 255.255.255.255
New:
hostname(config)# object network my-first-NAT
hostname(config-network-object)# host 192.168.1.2
hostname(config-network-object)# nat (inside,outside) static 1.1.1.2
To expand on this idea, if we want to translate a service specifically http for this example or port 80 it would look like below.
hostname(config)# object network my-first-webnat
hostname(config-network-object)# host 192.168.1.2
hostname(config-network-object)# nat (inside,outside) static 1.1.1.2 service tcp 80 80
These Examples can get you going in the right direction.
These are just some of the technical aspects you don't have to worry about with Trigon working for you. Who wants to worry about all that mumbo jumbo? Not you, friend. If you think you need Trigon to take a look at your network infrastructure, give us a call.
Posted by The blogging Desk on Wed, Nov 03, 2010
- by Chad Weaver
Finally! I'm a little late to the party here but it turns out the SDM is dead. I can hear you saying, “What in the world is that?” “Who cares?!”
Well, I do for one. And as your friendly local Philadelphia area IT Support company, it's only going to be good news for you.
The SDM was the Cisco GUI tool for managing routers. It was also known as the security device manager. It will still be around for a while, but a couple months back the official EoL announcement was made. Why am I so happy? Even being a command line guy, sometimes using the GUI is a bit easier and for their other devices. I have never had an issue getting it up and running but that bad boy was always problems for me. Getting it loaded on the device seemed to take longer than any amount of time I used it for. There was also the fact that it seemed to have been written about 10 years ago and never updated again. So what are we using now?
The answer is they developed a new tool which is called the Cisco Configuration Professional, and can be downloaded from the Cisco website, provided you have a login. I recently took this tool for a spin and I like what I see. While remarkably similar to the tool it is replacing it was still easy to get setup, and get connected to a router quickly. I was viewing the configuration in a flash and all the interfaces were recognized! I can’t say the same for the old SDM.
I do have one small complaint; the install was 150 Mb. That seems a bit excessive for this but one install will hold you for all your routers so I can let that slide. Other than the install size and getting the IPs configured, it was a breeze checking out the new tool, so much so I decided to write about it. I know this isn’t exciting for everyone but for someone that truly loves Networking and IT support, it is almost the most exciting thing I have learned today!
Great! If you'd like some more information on how Trigon can help dig the hole for your SDM, give us a buzz. Or, if you have no idea what any of this blog even meant, give us a buzz, too!