ASA 8.3 - 8.4 Dynamic NAT - PAT Overload Migration Lab Guide - Lab 1.0

ASA 8.3 / 8.4 Dynamic NAT / PAT Overload Migration Lab Guide - Lab 1.0 http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-gui...
XeruNetworks
Its all about networks…
GNS3
Security
ASA
VPN
Routing & Switching
EIGRP
Stackwise
Tips
Voice
Call Manager
CME
Licencing
Wireless
« ASA 8.4 with ASDM on GNS3 – Step by Step Guide
ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.1 »
Mar 06
ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.0

Categories:
ASA, GNS3, Security
by malikyounas
Main Post
http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide/
This lab is part of the series of LAB which details how migrate NAT
configurations from Pre ASA 8.2 version to ASA 8.3/8.4
Lab1.0 Setup
Dynamic NAT / PAT Overload

Three devices in total,
One router representing internal networks
One ASA firewall where NAT Is configured
One external router representing ISP which will be acceessed by internal networks after being translated on the
firewall.
The firewall is configured with an open ACL to allow all connections through. This is becuase we dont want to
play with ACLs in this LAB but to focus on NAT. We will work with ACLs at a later stage when toplogy gets a
bit complex.
The device configurations and GNS3 Topology can be downloaded from the the following link if you want it to
import it for yourself.
http://www.mediafire.com/download.php?93bc24d9z76043a
1/7 2012.11.01. 8:39

NAT Policy
To start with a very basic setup, we want to

1. Configure ASA for Inside network (10.10.10.0/24) to use Dynamic NAT Interface Overload (PAT) using
firewall interface IP when accessing outside networks (ISP)
2. Configure ASA for Inside network (10.10.11.0/24) to use Dynamic NAT Overload (PAT) using a public IP (In
our Case 192.168.100.200)
3. Dynamic Any Overload NAT (PAT). Any remaining inside network will be translated to 192.168.100.3
Pre ASA 8.3 Configuration
Now, in good old days we would have used following configuration to achieve our policy goals.
1.
nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 1 interface
2.
nat (inside) 2 10.10.11.0 255.255.255.0
global(outside) 2 192.168.100.200
3.
nat (inside) 3 0 0
nat (outside) 3 192.168.100.201
ASA 8.3/8.4 Configuration
1.
First thing you do is to create a network object for the subnet that you want to be translated. Along with that
you include the NAT statement as following
object network Inernal-10.10.10.0

subnet 10.10.10.0 255.255.255.0
nat (inside,outside) dynamic interface
2.
Now to use a public IP instead of Interface IP, you do the same thing as in step 1 but just replace the interface
with IP address

subnet 10.10.11.0 255.255.255.0
nat (inside,outside) dynamic 192.168.100.200
3.
Here we will create an object for catch all, such any other IPs for whom there is no NAT translation already
configured are translated

subnet 0.0.0.0 0.0.0.0
Verification
1. Use ‘show run object’ will show the objects that we created in step 1 & 2
Output:
ASA1# sh run object
subnet 10.10.10.0 255.255.255.0
subnet 10.10.11.0 255.255.255.0

subnet 0.0.0.0 0.0.0.0
2. Use ‘show run nat’ to get the NAT statements used in the running config
Output:
ASA1# sh run nat
!
nat (inside,outside) dynamic interface

3. Use ‘show nat’ to see the translations performed
2/7 2012.11.01. 8:39

Output:
ASA1# sh nat
Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic Inernal-10.10.10.0 interface
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic Inernal-10.10.11.0 192.168.100.200

Now we have verified that components are in place let start verifciation on the devices
4. On ISP router use command ‘debug ip packets’ to get an idea what IP address ISP sees when a packet hits its
interface
5. Use extended ping from Internal router as following to verify the first rule. Now ISP router should see the
firewall outside Interface IP (192.168.100.1) as a source of ping. However, as we configured and we know that
the real source is the Loopback Interface IP on ther Inside Router.
Inside#ping
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/33/64 ms
ISP Router IP Packet Debug Output
*Feb 29 10:25:51.815: IP: tableid=0, s=192.168.100.1 (FastEthernet1

ISP#/0), d=192.168.100.2 (FastEthernet1/0), routed via RIB
*Feb 29 10:25:51.819: IP: s=192.168.100.1 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100,
rcvd 3
*Feb 29 10:25:51.819: IP: s=192.168.100.1 (FastEthernet1/0), d=192.168.100.2, len 100, stop process pak
for forus packet
*Feb 29 10:25:51.819: IP: s=192.168.100.2 (local), d=192.168.100.1 (FastEthernet1/0), len 100, sending
*Feb 29 10:25:51.819: IP: s=192.168.100.2 (local), d=192.168.100.1 (FastEthernet1/0), len 100, sending full
packet
*Feb 29 10:25:51.839: IP: s=192.168.100.1 (FastEthernet1/0), d=192.168.100.2, len 100, input feature, MCI
Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
6. Now lets try again but this time with different source IP. This time we will use Loopback 1 and it should be
translated with IP 192.168.100.200. Let try that and see what ISP router thinks the packets coming from
Inside#ping
Protocol [ip]:
Repeat count [5]:
.!!!!
ISP Router IP Packet Debug Output

*Feb 29 10:29:41.823: IP: tableid=0, s=192.168.100.20
ISP#0 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), routed via RIB
*Feb 29 10:29:41.823: IP: s=192.168.100.200 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len
100, rcvd 3
*Feb 29 10:29:41.827: IP: s=192.168.100.200 (FastEthernet1/0), d=192.168.100.2, len 100, stop process pak
3/7 2012.11.01. 8:39

for forus packet

full packet
*Feb 29 10:29:41.859: IP: s=192.168.100.200 (FastEthernet1/0), d=192.168.100.2, len 100, input feature,
MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
As you can see above it sees packets coming from 192.168.100.200
7. We had specific translation rules configured for two other subnets and let see what happens if we try to ping
from another subnet which should be only matched by ANY nat rule on the firewall and translated to
192.168.100.201
Inside#ping
Protocol [ip]:
Repeat count [5]:
..!!!
*Feb 29 13:56:35.455: IP: tableid=0, s=192.168.100.201 (FastEthernet1/0), d=192.168.100.2

(FastEthernet1/0), routed via RIB
*Feb 29 13:56:35.455: IP: s=192.168.100.201 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len
100, rcvd 3
*Feb 29 13:56:35.455: IP: s=192.168.100.201 (F
ISP#astEthernet1/0), d=192.168.100.2, len 100, stop process pak for forus packet
full packet
8. Let use the ‘show nat’ command to see if the hit count is still is same or increased
ASA1# sh nat
Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic Inernal-10.10.10.0 interface
Related Posts
ASA 8.3/8.4 NAT Migration Lab Guide
Cisco ASA 8.4 on GNS3
Site to Site VPN without NAT – L2L IPSec VPN
Cisco ASA Concurrent Auth Proxy Connection Limit
EIGRP Delay Settings
Share this: 0
2 comments
1 ping
1.
Jim
August 18, 2012 at 2:19 am (UTC 1)
Reply
4/7 2012.11.01. 8:39

After I build the configuration as per picture I start the routers and ASA and get this;
ASA1: error from server 127.0.0.1:10525: 209-unable to start instance 'ASA1'
Does this have something to do with my Looback Adapter?
1.
malikyounas
August 18, 2012 at 2:35 am (UTC 1)
Reply
Nope, it has to do with qemu, asa is not starting properly, check your gns3 install, asa qemu options
1. ASA 8.3/8.4 NAT Migration Lab Guide - My Tech World » My Tech World
March 13, 2012 at 8:35 pm (UTC 1) Link to this comment
Reply
[...] will have our labs on the following pattern Lab 1.0 – Dynamic NAT/PAT Overload Lab 1.1 –
Dynamic Policy NAT Lab 1.2 – Dynamic NAT/PAT, Dynamic NAT/PAT Interface [...]
Leave a Reply
Your email address will not be published. Required fields are marked *
Connect with Facebook
Name: *
Email: *
Website:
You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym
title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite="">
<strike> <strong>
Notify me of follow-up comments by email.
Notify me of new posts by email.
Recent Posts
Don’t span high volume traffic to

WS-X6548-GE-TX or WS-X6148-GE-TX
oversubscribed line cards
Outlook.com – Don’t change your primary
email address and how to revert back if
you already did
Best Email App for Android ICS
ASA 8.4 Upgrade Path – 8.2 to ASA 8.4
with Zero Downtime
RSPAN Configuration for Cisco 6500
Switches
Popular Posts
Cisco ASA 8.4 on GNS3 58,603 view(s)

ASA 8.4 with ASDM on GNS3 – Step
by Step Guide 33,888 view(s)
Outlook.com – Don’t change your
primary email address and how to revert
back if you already did 10,345 view(s)
5/7 2012.11.01. 8:39

Cisco 5508 WLC Configuration LAB –

WPA2, Guest Access, FlexConnect (aka
H-REAP) 8,374 view(s)
ASA 8.3/8.4 NAT Migration Lab Guide
8,258 view(s)
Sponsored Links
Categories
ASA
CME
EIGRP
GNS3
Licencing
Routing & Switching
Security
Stackwise
Tips
Uncategorized
Voice
VPN
Wireless
Archives
August 2012
June 2012
May 2012
March 2012
February 2012
January 2012
December 2011
September 2011
August 2011
June 2011
March 2011
February 2011
November 2010
October 2010
July 2010
June 2010
May 2010
Recent Comments
sonsofsound77 on Cisco ASA 8.4 on

GNS3
Mohamed Mire Shire on Outlook.com –
Don’t change your primary email address
and how to revert back if you already did
Sinchai DeLong on Cisco ASA 8.4 on
GNS3
Martin on Cisco ASA 8.4 on GNS3
Jorge on Best Email App for Android ICS
Blog Calendar
March 2012
M T W T F S S
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
« Feb May »
Meta
6/7 2012.11.01. 8:39

Log in
Entries RSS
Comments RSS
WordPress.org
Subscribe to Blog via Email

Enter your email address to subscribe to this
blog and receive notifications of new posts by
email.
Copyright
© 2012 XeruNetworks.
Return to top
Powered by WordPress and the Graphene Theme.
7/7 2012.11.01. 8:39

ASA 8.3 - 8.4 Dynamic NAT - PAT Overload Migration Lab Guide - Lab 1.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ASA 8.3 - 8.4 Dynamic NAT - PAT Overload Migration Lab Guide - Lab 1.0

Uploaded by

Copyright:

Available Formats

ASA 8.3 / 8.4 Dynamic NAT / PAT Overload Migration Lab Guide - Lab 1.0 http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-gui...

« ASA 8.4 with ASDM on GNS3 – Step by Step Guide

ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.1 »

ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.0

ASA, GNS3, Security

Dynamic NAT / PAT Overload

1/7 2012.11.01. 8:39

To start with a very basic setup, we want to

Pre ASA 8.3 Configuration

ASA 8.3/8.4 Configuration

object network Inernal-10.10.10.0

object network Inernal-10.10.11.0

object network Inernal-0.0.0.0

object network Inernal-0.0.0.0

object network Inernal-0.0.0.0

3. Use ‘show nat’ to see the translations performed

2/7 2012.11.01. 8:39

Auto NAT Policies (Section 2)

3 (inside) to (outside) source dynamic Inernal-0.0.0.0 192.168.100.201

ISP Router IP Packet Debug Output

*Feb 29 10:25:51.815: IP: tableid=0, s=192.168.100.1 (FastEthernet1

ISP Router IP Packet Debug Output

3/7 2012.11.01. 8:39

for forus packet

As you can see above it sees packets coming from 192.168.100.200

*Feb 29 13:56:35.455: IP: tableid=0, s=192.168.100.201 (FastEthernet1/0), d=192.168.100.2

Auto NAT Policies (Section 2)

August 18, 2012 at 2:19 am (UTC 1)

4/7 2012.11.01. 8:39

August 18, 2012 at 2:35 am (UTC 1)

March 13, 2012 at 8:35 pm (UTC 1) Link to this comment

Connect with Facebook

Notify me of follow-up comments by email.

Notify me of new posts by email.

Don’t span high volume traffic to

Cisco ASA 8.4 on GNS3 58,603 view(s)

5/7 2012.11.01. 8:39

Cisco 5508 WLC Configuration LAB –

sonsofsound77 on Cisco ASA 8.4 on

6/7 2012.11.01. 8:39

Subscribe to Blog via Email

Powered by WordPress and the Graphene Theme.

7/7 2012.11.01. 8:39

You might also like