Professional Documents
Culture Documents
ASA 8.3 - 8.4 Dynamic NAT - PAT Overload Migration Lab Guide - Lab 1.0
ASA 8.3 - 8.4 Dynamic NAT - PAT Overload Migration Lab Guide - Lab 1.0
XeruNetworks
Its all about networks…
GNS3
Security
ASA
VPN
Routing & Switching
EIGRP
Stackwise
Tips
Voice
Call Manager
CME
Licencing
Wireless
Mar 06
by malikyounas
Main Post
http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide/
This lab is part of the series of LAB which details how migrate NAT
configurations from Pre ASA 8.2 version to ASA 8.3/8.4
Lab1.0 Setup
The firewall is configured with an open ACL to allow all connections through. This is becuase we dont want to
play with ACLs in this LAB but to focus on NAT. We will work with ACLs at a later stage when toplogy gets a
bit complex.
The device configurations and GNS3 Topology can be downloaded from the the following link if you want it to
import it for yourself.
http://www.mediafire.com/download.php?93bc24d9z76043a
NAT Policy
Now, in good old days we would have used following configuration to achieve our policy goals.
1.
nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 1 interface
2.
nat (inside) 2 10.10.11.0 255.255.255.0
global(outside) 2 192.168.100.200
3.
nat (inside) 3 0 0
nat (outside) 3 192.168.100.201
1.
First thing you do is to create a network object for the subnet that you want to be translated. Along with that
you include the NAT statement as following
2.
Now to use a public IP instead of Interface IP, you do the same thing as in step 1 but just replace the interface
with IP address
3.
Here we will create an object for catch all, such any other IPs for whom there is no NAT translation already
configured are translated
Verification
1. Use ‘show run object’ will show the objects that we created in step 1 & 2
Output:
ASA1# sh run object
object network Inernal-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network Inernal-10.10.11.0
subnet 10.10.11.0 255.255.255.0
2. Use ‘show run nat’ to get the NAT statements used in the running config
Output:
ASA1# sh run nat
!
object network Inernal-10.10.10.0
nat (inside,outside) dynamic interface
object network Inernal-10.10.11.0
nat (inside,outside) dynamic 192.168.100.200
Output:
ASA1# sh nat
Now we have verified that components are in place let start verifciation on the devices
4. On ISP router use command ‘debug ip packets’ to get an idea what IP address ISP sees when a packet hits its
interface
5. Use extended ping from Internal router as following to verify the first rule. Now ISP router should see the
firewall outside Interface IP (192.168.100.1) as a source of ping. However, as we configured and we know that
the real source is the Loopback Interface IP on ther Inside Router.
Inside#ping
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/33/64 ms
6. Now lets try again but this time with different source IP. This time we will use Loopback 1 and it should be
translated with IP 192.168.100.200. Let try that and see what ISP router thinks the packets coming from
Inside#ping
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.11.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.11.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/35/60 ms
7. We had specific translation rules configured for two other subnets and let see what happens if we try to ping
from another subnet which should be only matched by ANY nat rule on the firewall and translated to
192.168.100.201
Inside#ping
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.12.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.12.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 24/45/84 ms
8. Let use the ‘show nat’ command to see if the hit count is still is same or increased
ASA1# sh nat
Related Posts
ASA 8.3/8.4 NAT Migration Lab Guide
Cisco ASA 8.4 on GNS3
Site to Site VPN without NAT – L2L IPSec VPN
Cisco ASA Concurrent Auth Proxy Connection Limit
EIGRP Delay Settings
Share this: 0
2 comments
1 ping
1.
Jim
Reply
After I build the configuration as per picture I start the routers and ASA and get this;
ASA1: error from server 127.0.0.1:10525: 209-unable to start instance 'ASA1'
Does this have something to do with my Looback Adapter?
1.
malikyounas
Reply
Nope, it has to do with qemu, asa is not starting properly, check your gns3 install, asa qemu options
1. ASA 8.3/8.4 NAT Migration Lab Guide - My Tech World » My Tech World
Reply
[...] will have our labs on the following pattern Lab 1.0 – Dynamic NAT/PAT Overload Lab 1.1 –
Dynamic Policy NAT Lab 1.2 – Dynamic NAT/PAT, Dynamic NAT/PAT Interface [...]
Leave a Reply
Your email address will not be published. Required fields are marked *
Name: *
Email: *
Website:
You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym
title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite="">
<strike> <strong>
Recent Posts
Popular Posts
Sponsored Links
Categories
ASA
CME
EIGRP
GNS3
Licencing
Routing & Switching
Security
Stackwise
Tips
Uncategorized
Voice
VPN
Wireless
Archives
August 2012
June 2012
May 2012
March 2012
February 2012
January 2012
December 2011
September 2011
August 2011
June 2011
March 2011
February 2011
November 2010
October 2010
July 2010
June 2010
May 2010
Recent Comments
Blog Calendar
March 2012
M T W T F S S
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
« Feb May »
Meta
Log in
Entries RSS
Comments RSS
WordPress.org
Copyright
© 2012 XeruNetworks.
Return to top