{"id":1190,"date":"2015-12-28T12:26:31","date_gmt":"2015-12-28T11:26:31","guid":{"rendered":"http:\/\/diablo.craem.net\/?p=1190"},"modified":"2015-12-28T12:26:31","modified_gmt":"2015-12-28T11:26:31","slug":"cisco-asa-8-2-to-9-x-migrando-parte-3","status":"publish","type":"post","link":"https:\/\/diablo.craem.net\/?p=1190","title":{"rendered":"Cisco ASA 8.2 to 9.x :: migrando :: parte 3"},"content":{"rendered":"<p>Hoy toca la parte de NATP en los cisco asa 9.x<br \/>\nRecordemos, que a partir de la versi\u00f3n 8.3 en adelante, cambia todo el tema del nat en los firewalls asa.<br \/>\nEn esta ocasi\u00f3n, queremos abrir el puerto 3389 y 443 para una m\u00e1quina 192.168.1.3. En la versi\u00f3n 8.2 quedar\u00ed\u00ada de la siguiente manera:<br \/>\n<code><br \/>\naccess-list outside_in permit tcp any any eq 3389<br \/>\naccess-list outside_in permit tcp any any eq 443<br \/>\naccess-group outside_in in interface outside<br \/>\nstatic (inside,outside) tcp interface 3389 192.168.1.3 3389 netmask 255.255.255.255<br \/>\nstatic (inside,outside) tcp interface 443 192.168.1.3 443 netmask 255.255.255.255<br \/>\n<\/code><br \/>\nLas 2 primeras l\u00ed\u00adneas, indica que dejamos pasar desde cualquier sitio externo, a nuestra lan, el puerto tcp 3389 y 443.<br \/>\nEl access-group es para aplicar las reglas en el interface y, los statics, es para hacer las traducciones de nat directamente&#8230;. sin las 3 primeras l\u00ed\u00adneas, el tr\u00e1fico ser\u00e1 denegado.<br \/>\nAhora vamos a aplicarlo en la versi\u00f3n 9.x y veremos que es un poco m\u00e1s engorroso y que nos han cambiado la sint\u00e1xis para que estemos algo m\u00e1s atentos y no nos relajemos \ud83d\ude09<br \/>\nEsta es la config:<br \/>\n<code><br \/>\nobject network hst-192.168.1.3<br \/>\n host 192.168.1.3<br \/>\n description Server1.3<br \/>\nobject network hst-192.168.1.3_3389<br \/>\n host 192.168.1.3<br \/>\n description server1.3_3389<br \/>\nobject-group service svcgrp-192.168.1.3 tcp<br \/>\n port-object eq 443<br \/>\nobject-group service svcgrp-192.168.1.3_3389 tcp<br \/>\n port-object eq 3389<br \/>\nobject-group service svcgrp-192.168.1.3_443 tcp<br \/>\n port-object eq 443<br \/>\nobject network hst-192.168.1.3-tcp443<br \/>\n host 192.168.1.3<br \/>\n description Server 443 Static PAT Object<br \/>\naccess-list outside_in extended permit tcp any object hst-192.168.1.3 object-group svcgrp-192.168.1.3_443<br \/>\naccess-list outside_in extended permit tcp any object hst-192.168.1.3 object-group svcgrp-192.168.1.3_3389<br \/>\naccess-group outside_in interface outside<br \/>\nobject network 192.168.1.3-tcp443<br \/>\n nat (inside,outside) static interface service tcp 443 443<br \/>\nobject network hst-192.168.1.3_3389<br \/>\n nat (inside,outside) static interface service tcp 3389 3389<br \/>\n<\/code><br \/>\nTengo pendiente de probar si 1 group-object lo puedo usar en m\u00e1s de 1 linea y aprovechar.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hoy toca la parte de NATP en los cisco asa 9.x Recordemos, que a partir de la versi\u00f3n 8.3 en adelante, cambia todo el tema del nat en los firewalls asa. En esta ocasi\u00f3n, queremos abrir el puerto 3389 y 443 para una m\u00e1quina 192.168.1.3. En la versi\u00f3n 8.2 quedar\u00ed\u00ada de la siguiente manera: access-list [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[12,13,25,41],"class_list":["post-1190","post","type-post","status-publish","format-standard","hentry","category-cisco","tag-8-2","tag-9-x","tag-asa","tag-cisco"],"_links":{"self":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/1190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1190"}],"version-history":[{"count":0,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/1190\/revisions"}],"wp:attachment":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1190"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}