ASA 8.3 - 8.4 Double NAT - Source Destination NAT - My Tech World

ASA 8.3 / 8.4 Double NAT / Source Destination NAT - My Tech World http://www.xerunetworks.com/2012/03/asa-8-38-4-double-natsource-de...
XeruNetworks
Its all about networks…
GNS3
Security
ASA
VPN
Routing & Switching
EIGRP
Stackwise
Tips
Voice
Call Manager
CME
Licencing
Wireless
« ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.3
Telnet to Router Interface from outside »
Mar 13
ASA 8.3 / 8.4 Double NAT / Source Destination NAT

Migration Lab Guide – Lab 1.4
Categories:
ASA, GNS3, Security
by malikyounas
Main Post
http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide/
This lab is part of the series of LAB which details how migrate NAT
configurations from Pre ASA 8.2 version to ASA 8.3/8.4
Lab1.3 Setup
Double NAT/Source Destination NAT
We will start with a fresh LAB, not building on what we had before because
the old config/topology was getting too much complex now.
The device configurations and GNS3 Topology can be downloaded from the the following link if you want it to
import it for yourself.
http://www.mediafire.com/download.php?u39jm62tlg1ha1z
1/6 2012.11.01. 8:42

NAT Policy
Outgoing
Source Sourced Mapped Destination Destination Mapped
10.10.10.1 192.168.100.200 192.168.0.200 12.12.12.1
Incoming
Source Sourced Mapped Destination Destination Mapped
12.12.12.1 192.168.0.200 192.168.100.200 10.10.10.1
1. Configure ASA for Inside address 10.10.10.1 such that when it tries to access 192.168.0.200, the NAT comes
into action and translates sources (10.10.10.1) address to 192.168.100.200 and destination
address(192.168.0.200) to 12.12.12.1. The same way when outside address 12.12.12.1 tries to access
192.168.100.200, the NAT is here again and translates source address(12.12.12.1) to 192.168.0.200 and
destination address(192.168.1000.200) to 10.10.10.1
Pre ASA 8.3 Configuration
1.
access-list out-nat permit ip host 10.10.10.1 host 192.168.0.200
access-list in-nat permit ip host 12.12.12.1 host 192.168.100.200
static (inside,outside) 192.168.100.200 access-list out-nat
static (outside,inside) 192.168.0.200 access-list in-nat
ASA 8.3/8.4 Configuration
1. Again start object configuration for each IP address and then use the nat statement which will do all
translations (in/out) in one statement.
object network obj-outreal-12.12.12.1

host 12.12.12.1
object network obj-outmapped-192.168.100.200
host 192.168.100.200
object network obj-inreal-10.10.10.1
host 10.10.10.1
object network obj-inmapped-192.168.0.200
host 192.168.0.200
nat (inside,outside) source static obj-inreal-10.10.10.1 obj-outmapped-192.168.100.200 destination static

obj-inmapped-192.168.0.200 obj-outreal-12.12.12.1
Verification
1. Use ‘show run object’ to check the objects that we configured
ASA1# sh run object

object network obj-outreal-12.12.12.1
host 12.12.12.1
object network obj-outmapped-192.168.100.200
host 192.168.100.200
object network obj-inreal-10.10.10.1
host 10.10.10.1
object network obj-inmapped-192.168.0.200
host 192.168.0.200
2. Use ‘show run nat’ to verify the NAT configuration
ASA1# sh run nat

nat (inside,outside) source static obj-inreal-10.10.10.1 obj-outmapped-192.168.100.200 destination static
2/6 2012.11.01. 8:42

3. Use ‘show nat’ to check the hits against rule

ASA1# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static obj-inreal-10.10.10.1 obj-outmapped-192.168.100.200 destination static
translate_hits = 0, untranslate_hits = 0
4. Lets use extended ping from 10.10.10.1 to 192.168.0.200, we will enable ‘debug ip packet’ both on Inside
and ISP router to see source and destination IP addresses.
Inside#ping
Protocol [ip]:
Target IP address: 192.168.0.200
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.200, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/48/92 ms
Inside#
Inside#
Inside#
*Mar 12 15:19:15.986: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:19:15.986: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending full
packet
*Mar 12 15:19:16.078: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, input feature, MCI
Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 15:19:16.078: IP: tableid=0, s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1 (Loopback0), routed
via RIB
*Mar 12 15:19:16.078: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, rcvd 4
*Mar 12 15:19:16.078: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, stop process pak for
forus packet
packet
*Mar 12 15:19:16.098: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10
Let see what ISP router thinks
*Mar 12 15:19:16.142: IP: tableid=0, s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1 (Loopback0),
routed via RIB
forus packet
packet
*Mar 12 15:19:16.178: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, input feature
ISP#, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
As you can see above inside router thinks its pining 192.168.0.200 and reply is coming from the same IP. The
same way ISP router thinks ping request is coming from 192.168.1000.200 and is replying to same.
5. Now, try the same from ISP router
ISP#ping
Protocol [ip]:
Target IP address: 192.168.100.200
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 12.12.12.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.200, timeout is 2 seconds:
Packet sent with a source address of 12.12.12.1
3/6 2012.11.01. 8:42

!!!!
packet
*Mar 12 15:25:52.786: IP: tableid=0, s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1 (Loopback0),
routed via RIB
forus packet
packet
*Mar 12 15:25:52.822: IP: s=192.168.100.200 (FastEther!
Let see what Inside router thinks of it
*Mar 12 15:25:52.874: IP: tableid=0, s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1 (Loopback0), routed
via RIB
forus packet
packet
Check(64), rtype 0, forus FALSE, sendself FA
Inside#LSE, mtu 0, fwdchk FALSE
As you can see from the output above that Inside router is getting ping request from 192.168.0.200 and its
replying to same
6. We have hits against NAT rule confirming the same

ASA1# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static obj-inreal-10.10.10.1 obj-outmapped-192.168.100.200 destination static
translate_hits = 2, untranslate_hits = 2
Related Posts
ASA 8.3/8.4 NAT Migration Lab Guide
Cisco ASA 8.4 on GNS3
Site to Site VPN without NAT – L2L IPSec VPN
Cisco ASA Concurrent Auth Proxy Connection Limit
EIGRP Delay Settings
Share this: 0
1 ping
1. ASA 8.3/8.4 NAT Migration Lab Guide - My Tech World » My Tech World
March 13, 2012 at 8:32 pm (UTC 1) Link to this comment
Reply
[...] LAB 1.4 - Double NAT/Source Destination NAT [...]
Leave a Reply
Your email address will not be published. Required fields are marked *
Connect with Facebook
Name: *
Email: *
Website:
4/6 2012.11.01. 8:42

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym
title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite="">
<strike> <strong>
Notify me of follow-up comments by email.
Notify me of new posts by email.
Recent Posts
Don’t span high volume traffic to
WS-X6548-GE-TX or WS-X6148-GE-TX
oversubscribed line cards
Outlook.com – Don’t change your primary
email address and how to revert back if
you already did
Best Email App for Android ICS
ASA 8.4 Upgrade Path – 8.2 to ASA 8.4
with Zero Downtime
RSPAN Configuration for Cisco 6500
Switches
Popular Posts
Cisco ASA 8.4 on GNS3 58,603 view(s)

ASA 8.4 with ASDM on GNS3 – Step
by Step Guide 33,888 view(s)
Outlook.com – Don’t change your
primary email address and how to revert
back if you already did 10,345 view(s)
Cisco 5508 WLC Configuration LAB –
WPA2, Guest Access, FlexConnect (aka
H-REAP) 8,374 view(s)
ASA 8.3/8.4 NAT Migration Lab Guide
8,258 view(s)
Sponsored Links
Categories
ASA
CME
EIGRP
GNS3
Licencing
Routing & Switching
Security
Stackwise
Tips
Uncategorized
Voice
VPN
Wireless
5/6 2012.11.01. 8:42

Archives
August 2012
June 2012
May 2012
March 2012
February 2012
January 2012
December 2011
September 2011
August 2011
June 2011
March 2011
February 2011
November 2010
October 2010
July 2010
June 2010
May 2010
Recent Comments
sonsofsound77 on Cisco ASA 8.4 on
GNS3
Mohamed Mire Shire on Outlook.com –
Don’t change your primary email address
and how to revert back if you already did
Sinchai DeLong on Cisco ASA 8.4 on
GNS3
Martin on Cisco ASA 8.4 on GNS3
Jorge on Best Email App for Android ICS
Blog Calendar
March 2012
M T W T F S S
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
« Feb May »
Meta
Log in
Entries RSS
Comments RSS
WordPress.org
Subscribe to Blog via Email

Enter your email address to subscribe to this
blog and receive notifications of new posts by
email.
Copyright
© 2012 XeruNetworks.
Return to top
Powered by WordPress and the Graphene Theme.
6/6 2012.11.01. 8:42

ASA 8.3 - 8.4 Double NAT - Source Destination NAT - My Tech World

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ASA 8.3 - 8.4 Double NAT - Source Destination NAT - My Tech World

Uploaded by

Copyright:

Available Formats

ASA 8.3 / 8.4 Double NAT / Source Destination NAT - My Tech World http://www.xerunetworks.com/2012/03/asa-8-38-4-double-natsource-de...

« ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.3

Telnet to Router Interface from outside »

ASA 8.3 / 8.4 Double NAT / Source Destination NAT

ASA, GNS3, Security

Double NAT/Source Destination NAT

1/6 2012.11.01. 8:42

Source Sourced Mapped Destination Destination Mapped

10.10.10.1 192.168.100.200 192.168.0.200 12.12.12.1

Source Sourced Mapped Destination Destination Mapped

12.12.12.1 192.168.0.200 192.168.100.200 10.10.10.1

Pre ASA 8.3 Configuration

access-list in-nat permit ip host 12.12.12.1 host 192.168.100.200

static (inside,outside) 192.168.100.200 access-list out-nat

static (outside,inside) 192.168.0.200 access-list in-nat

ASA 8.3/8.4 Configuration

object network obj-outreal-12.12.12.1

nat (inside,outside) source static obj-inreal-10.10.10.1 obj-outmapped-192.168.100.200 destination static

1. Use ‘show run object’ to check the objects that we configured

ASA1# sh run object

2. Use ‘show run nat’ to verify the NAT configuration

ASA1# sh run nat

2/6 2012.11.01. 8:42

3. Use ‘show nat’ to check the hits against rule

Let see what ISP router thinks

5. Now, try the same from ISP router

3/6 2012.11.01. 8:42

Let see what Inside router thinks of it

6. We have hits against NAT rule confirming the same

March 13, 2012 at 8:32 pm (UTC 1) Link to this comment

[...] LAB 1.4 - Double NAT/Source Destination NAT [...]

Connect with Facebook

4/6 2012.11.01. 8:42

Notify me of follow-up comments by email.

Notify me of new posts by email.

Cisco ASA 8.4 on GNS3 58,603 view(s)

5/6 2012.11.01. 8:42

Subscribe to Blog via Email

Powered by WordPress and the Graphene Theme.

6/6 2012.11.01. 8:42

You might also like