ASA 8.3 / 8.4 Dynamic NAT / PAT Migration Lab Guide - My Tech World http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-gui...

XeruNetworks
Its all about networks…
GNS3
Security
ASA
VPN
Routing & Switching
EIGRP
Stackwise
Tips
Voice
Call Manager
CME
Licencing
Wireless

« ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.1

ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.3 »

Mar 06

ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.2

Categories:

ASA, GNS3, Security

by malikyounas

Main Post

http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide/

This lab is part of the series of LAB which details how migrate NAT
configurations from Pre ASA 8.2 version to ASA 8.3/8.4

Lab1.2 Setup

Dynamic NAT/PAT, Dynamic NAT/PAT Interface Overload, Dynamic

Policy NAT/PAT Combined

Building on what we had before lets add few more subnets to the ISP router. I have also modified ASA config
to add routes for these new subnets.

The device configurations and GNS3 Topology can be downloaded from the the following link if you want it to
import it for yourself.

http://www.mediafire.com/download.php?8l6dgrxjj5ga18n

1/7 2012.11.01. 8:41

ASA 8.3 / 8.4 Dynamic NAT / PAT Migration Lab Guide - My Tech World http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-gui...

NAT Policy

1. Configure ASA for Inside subnet 10.10.12.0/24 to be translated to 30.30.30.1 when accessing subnet on
DMZ router.

2. Configure ASA for DMZ network such that when any networks for which no speicfic NAT is configured,
first use a range of IP addresses (192.168.100.205-210) for tranalations and if they are maxed out then use the
interface IP for translation (Wouldnt be able to fully verify as maxing out tranlations isnt easy, or at least I cant
do this)
3. Configure ASA for DMZ network such that when specific subnet 192.168.1.0/24 tries to Telnet ISP subnet
12.12.12.0/24 it used 192.168.100.204.

Pre ASA 8.3 Configuration

1.

nat (inside) 1 10.10.12.0 255.255.255.0

global (dmz) 1 30.30.30.1

2.
nat (dmz) 3 0.0.0.0 0.0.0.0
global (outside) 3 interface
global (outside) 3 192.168.100.205-192.168.100.210
3.
access-list POLICY-NAT-ACL-13 permit tcp 192.168.1.0 255.255.255.0 12.12.13.0 255.255.255.0 eq 23
nat (dmz) 2 access-list POLICY-NAT-ACL-12
global (outside) 2 192.168.100.204

ASA 8.3/8.4 Configuration

1. Starting with the objects again, however this is not a policy NAT so we will configure object for source
subnet and include the NAT statement along with it.

object network Inernal-10.10.12.0

subnet 10.10.12.0 255.255.255.0
nat (inside,dmz) dynamic 30.30.30.1
2. Here we will configure NAT such that any network for which there is no translation should be translated
using a range of IP addresses and if that is maxed out then use interface IP.

object network DMZ-Destination-192.168.100.205-192.168.100.210

range 192.168.100.205 192.168.100.210

object network DMZ-0.0.0.0

subnet 0.0.0.0 0.0.0.0
nat (dmz,outside) dynamic DMZ-Destination-192.168.100.205-192.168.100.210 interface
3. We are doing policy NAT which will translate on the basis of what protocol is being used and what are the
source and destination subnets

object network DMZ-Source-192.168.1.0

subnet 192.168.1.0 255.255.255.0

2/7 2012.11.01. 8:41

ASA 8.3 / 8.4 Dynamic NAT / PAT Migration Lab Guide - My Tech World http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-gui...

object network DMZ-Destination-12.12.12.0

subnet 12.12.12.0 255.255.255.0

object network obj-192.168.100.204

host 192.168.100.204

object service obj-telnet

service tcp 23

nat (DMZ,outside) source dynamic DMZ-Source-192.168.1.0 obj-192.168.100.204 destination static

DMZ-Destination-12.12.12.0 DMZ-Destination-12.12.12.0 service obj-telnet obj-telnet

Verification

1. Use the ‘show run object’ to see what objects are part of running config

ASA1# sh run object

object network Inernal-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network Inernal-10.10.11.0
subnet 10.10.11.0 255.255.255.0
object network Inernal-0.0.0.0
subnet 0.0.0.0 0.0.0.0
object network DMZ-Source-11.11.11.0
subnet 11.11.11.0 255.255.255.0
object network DMZ-Destination-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network obj-192.168.100.202
host 192.168.100.202
object network DMZ-Destination-192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network obj-192.168.0.202
host 192.168.0.202
object service obj-icmp
service icmp echo 0
object network Inernal-10.10.12.0
subnet 10.10.12.0 255.255.255.0
object network DMZ-Destination-12.12.12.0
subnet 12.12.12.0 255.255.255.0
object network obj-192.168.100.203
host 192.168.100.203
object service obj-telnet
service tcp destination eq telnet
object network DMZ-Source-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.100.204
host 192.168.100.204
object network DMZ-Destination-192.168.100.205-192.168.100.210
range 192.168.100.205 192.168.100.210
object network DMZ-0.0.0.0
subnet 0.0.0.0 0.0.0.0
2. Use ‘show run’ to see what are NAT statements configured

ASA1# sh run nat

nat (DMZ,outside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.100.202 destination static
DMZ-Destination-192.168.100.0 DMZ-Destination-192.168.100.0
nat (DMZ,inside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.0.202 destination static
DMZ-Destination-192.168.0.0 DMZ-Destination-192.168.0.0
nat (DMZ,outside) source dynamic DMZ-Source-192.168.1.0 obj-192.168.100.204 destination static
DMZ-Destination-12.12.12.0 DMZ-Destination-12.12.12.0 service obj-telnet obj-telnet
!
object network Inernal-10.10.10.0
nat (inside,outside) dynamic interface
object network Inernal-10.10.11.0
nat (inside,outside) dynamic 192.168.100.200
object network Inernal-0.0.0.0
nat (inside,outside) dynamic 192.168.100.201
object network Inernal-10.10.12.0
nat (inside,DMZ) dynamic 30.30.30.1
object network DMZ-0.0.0.0
nat (DMZ,outside) dynamic DMZ-Destination-192.168.100.205-192.168.100.210 interface

3/7 2012.11.01. 8:41

ASA 8.3 / 8.4 Dynamic NAT / PAT Migration Lab Guide - My Tech World http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-gui...

3. Use ‘show nat’ command to check the hit counters and translations
ASA1# sh nat
Manual NAT Policies (Section 1)
1 (DMZ) to (outside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.100.202 destination static
DMZ-Destination-192.168.100.0 DMZ-Destination-192.168.100.0
translate_hits = 0, untranslate_hits = 0
2 (DMZ) to (inside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.0.202 destination static
DMZ-Destination-192.168.0.0 DMZ-Destination-192.168.0.0
translate_hits = 0, untranslate_hits = 0
3 (DMZ) to (outside) source dynamic DMZ-Source-192.168.1.0 obj-192.168.100.204 destination static
DMZ-Destination-12.12.12.0 DMZ-Destination-12.12.12.0 service obj-telnet obj-telnet
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic Inernal-10.10.10.0 interface
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic Inernal-10.10.11.0 192.168.100.200
translate_hits = 0, untranslate_hits = 0
3 (inside) to (DMZ) source dynamic Inernal-10.10.12.0 30.30.30.1
translate_hits = 0, untranslate_hits = 0
4 (DMZ) to (outside) source dynamic DMZ-0.0.0.0 DMZ-Destination-192.168.100.205-192.168.100.210
interface
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source dynamic Inernal-0.0.0.0 192.168.100.201
translate_hits = 0, untranslate_hits = 0

4. Ping from Inside Subnet 10.10.12.0/24 is translated as 30.30.30.1 when its tries to get DMZ network

Inside#ping
Protocol [ip]:
Target IP address: 11.11.11.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.12.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.12.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/40/68 ms

Let see what we get on the DMZ network

*Mar 1 14:50:24.103: IP: tableid=0, s=30.30.30.1 (FastEthernet1/0), d=11.11.11.1 (Loopback0), routed via
RIB
*Mar 1 14:50:24.107: IP: s=30.30.30.1 (FastEthernet1/0), d=11.11.11.1, len 100, rcvd 4
*Mar 1 14:50:24.107: IP: s=30.30.30.1 (FastEthernet1/0), d=11.11.11.1, len 100, stop process pak for forus
packet
*Mar 1 14:50:24.107: IP: s=11.11.11.1 (local), d=30.30.30.1 (FastEthernet1/0), len 100, sending
*Mar 1 14:50:24.107: IP: s=11.11.11.1 (local), d=30.30.30.1 (FastEthernet1/0), len 100, sending full packet

5. Ping from DMZ router to 12.12.12.1 and it should be matched again catch all rule for DMZ and should be
translated as 192.168.100.205 which is the first IP int he range configured for DMZ.

DMZ#ping 12.12.12.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 12.12.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/64/96 ms
Debug IP Packets results on ISP router

*Mar 1 14:48:17.127: IP: tableid=0, s=192.168.100.205 (FastEthernet1/0), d=12.12.12.1 (Loopback0), routed

via RIB
*Mar 1 14:48:17.131: IP: s=192.168.100.205 (FastEthernet1/0), d=12.12.12.1, len 100, rcvd 4

4/7 2012.11.01. 8:41

ASA 8.3 / 8.4 Dynamic NAT / PAT Migration Lab Guide - My Tech World http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-gui...

*Mar 1 14:48:17.135: IP: s=192.168.100.205 (FastEthernet1/0), d=12.12.12.1, len 100, stop process pak for
forus packet
*Mar 1 14:48:17.139: IP: s=12.12.12.1 (local), d=192.168.100.205 (FastEthernet1/0), len 100, sending
*Mar 1 14:48:17.151: IP: s=12.12.12.1 (local), d=192.168.100.205 (FastEthernet1/0), len 100, sending full
packet
*Mar 1 14:48:17.259: IP: s=192.168.100.205 (FastEthernet1/0), d=12.12.12.1, len 100, input feature, MCI
Check(64), rtype 0, forus FALSE,

6. Now lets try to telnet from DMZ router to 12.12.12.1.

DMZ#telnet 12.12.12.1
Trying 12.12.12.1 … Open
Password required, but none set

[Connection to 12.12.12.1 closed by foreign host]

Thats fine, at least it tried to make a connection. Let see what IP address DMZ thinks this request is coming
from.

*Mar 1 14:53:34.535: IP: tableid=0, s=192.168.100.204 (FastEthernet1/0), d=12.12.12.1 (Loopback0), routed

via RIB
*Mar 1 14:53:34.539: IP: s=192.168.100.204 (FastEthernet1/0), d=12.12.12.1, len 40, rcvd 4
*Mar 1 14:53:34.543: IP: s=192.168.100.204 (FastEthernet1/0), d=12.12.12.1, len 40, stop process pak for
forus packet
*Mar 1 14:53:34.547: IP: s=12.12.12.1 (local), d=192.168.100.204 (FastEthernet1/0), len 40, sending
*Mar 1 14:53:34.551: IP: s=12.12.12.1 (local), d=192.168.100.204 (FastEthernet1/0), len 40, sending full
packet

Related Posts

ASA 8.3/8.4 NAT Migration Lab Guide

Cisco ASA 8.4 on GNS3
Site to Site VPN without NAT – L2L IPSec VPN
Cisco ASA Concurrent Auth Proxy Connection Limit
EIGRP Delay Settings

Share this: 0

1 ping

1. ASA 8.3/8.4 NAT Migration Lab Guide » My Tech World

March 12, 2012 at 10:09 pm (UTC 1) Link to this comment

Reply

[...] We will have our labs on the following pattern Lab 1.0 – Dynamic NAT/PAT Overload Lab 1.1 –
Dynamic Policy NAT Lab 1.2 – Dynamic NAT/PAT, Dynamic NAT/PAT Interface Overload, [...]

Leave a Reply
Your email address will not be published. Required fields are marked *

Connect with Facebook

Name: *

Email: *

Website:

5/7 2012.11.01. 8:41

ASA 8.3 / 8.4 Dynamic NAT / PAT Migration Lab Guide - My Tech World http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-gui...

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym
title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite="">
<strike> <strong>

Notify me of follow-up comments by email.

Notify me of new posts by email.

Recent Posts
Don’t span high volume traffic to
WS-X6548-GE-TX or WS-X6148-GE-TX
oversubscribed line cards
Outlook.com – Don’t change your primary
email address and how to revert back if
you already did
Best Email App for Android ICS
ASA 8.4 Upgrade Path – 8.2 to ASA 8.4
with Zero Downtime
RSPAN Configuration for Cisco 6500
Switches

Popular Posts

Cisco ASA 8.4 on GNS3 58,603 view(s)

ASA 8.4 with ASDM on GNS3 – Step
by Step Guide 33,888 view(s)
Outlook.com – Don’t change your
primary email address and how to revert
back if you already did 10,345 view(s)
Cisco 5508 WLC Configuration LAB –
WPA2, Guest Access, FlexConnect (aka
H-REAP) 8,374 view(s)
ASA 8.3/8.4 NAT Migration Lab Guide
8,258 view(s)

Sponsored Links

Categories
ASA
CME
EIGRP
GNS3
Licencing
Routing & Switching
Security
Stackwise
Tips
Uncategorized
Voice
VPN
Wireless

6/7 2012.11.01. 8:41

ASA 8.3 / 8.4 Dynamic NAT / PAT Migration Lab Guide - My Tech World http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-gui...

Archives
August 2012
June 2012
May 2012
March 2012
February 2012
January 2012
December 2011
September 2011
August 2011
June 2011
March 2011
February 2011
November 2010
October 2010
July 2010
June 2010
May 2010

Recent Comments
sonsofsound77 on Cisco ASA 8.4 on
GNS3
Mohamed Mire Shire on Outlook.com –
Don’t change your primary email address
and how to revert back if you already did
Sinchai DeLong on Cisco ASA 8.4 on
GNS3
Martin on Cisco ASA 8.4 on GNS3
Jorge on Best Email App for Android ICS

Blog Calendar

March 2012
M T W T F S S
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
« Feb May »

Meta

Log in
Entries RSS
Comments RSS
WordPress.org

Subscribe to Blog via Email

Enter your email address to subscribe to this
blog and receive notifications of new posts by
email.

Copyright
© 2012 XeruNetworks.

Return to top

Powered by WordPress and the Graphene Theme.

7/7 2012.11.01. 8:41