Professional Documents
Culture Documents
ASA 8.3 - 8.4 Dynamic NAT - PAT Migration Lab Guide - My Tech World
ASA 8.3 - 8.4 Dynamic NAT - PAT Migration Lab Guide - My Tech World
XeruNetworks
Its all about networks…
GNS3
Security
ASA
VPN
Routing & Switching
EIGRP
Stackwise
Tips
Voice
Call Manager
CME
Licencing
Wireless
Mar 06
by malikyounas
Main Post
http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide/
This lab is part of the series of LAB which details how migrate NAT
configurations from Pre ASA 8.2 version to ASA 8.3/8.4
Lab1.2 Setup
Building on what we had before lets add few more subnets to the ISP router. I have also modified ASA config
to add routes for these new subnets.
The device configurations and GNS3 Topology can be downloaded from the the following link if you want it to
import it for yourself.
http://www.mediafire.com/download.php?8l6dgrxjj5ga18n
NAT Policy
1. Configure ASA for Inside subnet 10.10.12.0/24 to be translated to 30.30.30.1 when accessing subnet on
DMZ router.
2. Configure ASA for DMZ network such that when any networks for which no speicfic NAT is configured,
first use a range of IP addresses (192.168.100.205-210) for tranalations and if they are maxed out then use the
interface IP for translation (Wouldnt be able to fully verify as maxing out tranlations isnt easy, or at least I cant
do this)
3. Configure ASA for DMZ network such that when specific subnet 192.168.1.0/24 tries to Telnet ISP subnet
12.12.12.0/24 it used 192.168.100.204.
1.
2.
nat (dmz) 3 0.0.0.0 0.0.0.0
global (outside) 3 interface
global (outside) 3 192.168.100.205-192.168.100.210
3.
access-list POLICY-NAT-ACL-13 permit tcp 192.168.1.0 255.255.255.0 12.12.13.0 255.255.255.0 eq 23
nat (dmz) 2 access-list POLICY-NAT-ACL-12
global (outside) 2 192.168.100.204
1. Starting with the objects again, however this is not a policy NAT so we will configure object for source
subnet and include the NAT statement along with it.
Verification
1. Use the ‘show run object’ to see what objects are part of running config
3. Use ‘show nat’ command to check the hit counters and translations
ASA1# sh nat
Manual NAT Policies (Section 1)
1 (DMZ) to (outside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.100.202 destination static
DMZ-Destination-192.168.100.0 DMZ-Destination-192.168.100.0
translate_hits = 0, untranslate_hits = 0
2 (DMZ) to (inside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.0.202 destination static
DMZ-Destination-192.168.0.0 DMZ-Destination-192.168.0.0
translate_hits = 0, untranslate_hits = 0
3 (DMZ) to (outside) source dynamic DMZ-Source-192.168.1.0 obj-192.168.100.204 destination static
DMZ-Destination-12.12.12.0 DMZ-Destination-12.12.12.0 service obj-telnet obj-telnet
translate_hits = 0, untranslate_hits = 0
4. Ping from Inside Subnet 10.10.12.0/24 is translated as 30.30.30.1 when its tries to get DMZ network
Inside#ping
Protocol [ip]:
Target IP address: 11.11.11.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.12.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.12.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/40/68 ms
*Mar 1 14:50:24.103: IP: tableid=0, s=30.30.30.1 (FastEthernet1/0), d=11.11.11.1 (Loopback0), routed via
RIB
*Mar 1 14:50:24.107: IP: s=30.30.30.1 (FastEthernet1/0), d=11.11.11.1, len 100, rcvd 4
*Mar 1 14:50:24.107: IP: s=30.30.30.1 (FastEthernet1/0), d=11.11.11.1, len 100, stop process pak for forus
packet
*Mar 1 14:50:24.107: IP: s=11.11.11.1 (local), d=30.30.30.1 (FastEthernet1/0), len 100, sending
*Mar 1 14:50:24.107: IP: s=11.11.11.1 (local), d=30.30.30.1 (FastEthernet1/0), len 100, sending full packet
5. Ping from DMZ router to 12.12.12.1 and it should be matched again catch all rule for DMZ and should be
translated as 192.168.100.205 which is the first IP int he range configured for DMZ.
DMZ#ping 12.12.12.1
*Mar 1 14:48:17.135: IP: s=192.168.100.205 (FastEthernet1/0), d=12.12.12.1, len 100, stop process pak for
forus packet
*Mar 1 14:48:17.139: IP: s=12.12.12.1 (local), d=192.168.100.205 (FastEthernet1/0), len 100, sending
*Mar 1 14:48:17.151: IP: s=12.12.12.1 (local), d=192.168.100.205 (FastEthernet1/0), len 100, sending full
packet
*Mar 1 14:48:17.259: IP: s=192.168.100.205 (FastEthernet1/0), d=12.12.12.1, len 100, input feature, MCI
Check(64), rtype 0, forus FALSE,
DMZ#telnet 12.12.12.1
Trying 12.12.12.1 … Open
Password required, but none set
Related Posts
Share this: 0
1 ping
Reply
[...] We will have our labs on the following pattern Lab 1.0 – Dynamic NAT/PAT Overload Lab 1.1 –
Dynamic Policy NAT Lab 1.2 – Dynamic NAT/PAT, Dynamic NAT/PAT Interface Overload, [...]
Leave a Reply
Your email address will not be published. Required fields are marked *
Name: *
Email: *
Website:
You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym
title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite="">
<strike> <strong>
Recent Posts
Don’t span high volume traffic to
WS-X6548-GE-TX or WS-X6148-GE-TX
oversubscribed line cards
Outlook.com – Don’t change your primary
email address and how to revert back if
you already did
Best Email App for Android ICS
ASA 8.4 Upgrade Path – 8.2 to ASA 8.4
with Zero Downtime
RSPAN Configuration for Cisco 6500
Switches
Popular Posts
Sponsored Links
Categories
ASA
CME
EIGRP
GNS3
Licencing
Routing & Switching
Security
Stackwise
Tips
Uncategorized
Voice
VPN
Wireless
Archives
August 2012
June 2012
May 2012
March 2012
February 2012
January 2012
December 2011
September 2011
August 2011
June 2011
March 2011
February 2011
November 2010
October 2010
July 2010
June 2010
May 2010
Recent Comments
sonsofsound77 on Cisco ASA 8.4 on
GNS3
Mohamed Mire Shire on Outlook.com –
Don’t change your primary email address
and how to revert back if you already did
Sinchai DeLong on Cisco ASA 8.4 on
GNS3
Martin on Cisco ASA 8.4 on GNS3
Jorge on Best Email App for Android ICS
Blog Calendar
March 2012
M T W T F S S
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
« Feb May »
Meta
Log in
Entries RSS
Comments RSS
WordPress.org
Copyright
© 2012 XeruNetworks.
Return to top