Professional Documents
Culture Documents
ASA 8.3 - 8.4 Double NAT - Source Destination NAT - My Tech World
ASA 8.3 - 8.4 Double NAT - Source Destination NAT - My Tech World
XeruNetworks
Its all about networks…
GNS3
Security
ASA
VPN
Routing & Switching
EIGRP
Stackwise
Tips
Voice
Call Manager
CME
Licencing
Wireless
Mar 13
by malikyounas
Main Post
http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide/
This lab is part of the series of LAB which details how migrate NAT
configurations from Pre ASA 8.2 version to ASA 8.3/8.4
Lab1.3 Setup
We will start with a fresh LAB, not building on what we had before because
the old config/topology was getting too much complex now.
The device configurations and GNS3 Topology can be downloaded from the the following link if you want it to
import it for yourself.
http://www.mediafire.com/download.php?u39jm62tlg1ha1z
NAT Policy
Outgoing
Incoming
1. Configure ASA for Inside address 10.10.10.1 such that when it tries to access 192.168.0.200, the NAT comes
into action and translates sources (10.10.10.1) address to 192.168.100.200 and destination
address(192.168.0.200) to 12.12.12.1. The same way when outside address 12.12.12.1 tries to access
192.168.100.200, the NAT is here again and translates source address(12.12.12.1) to 192.168.0.200 and
destination address(192.168.1000.200) to 10.10.10.1
1.
access-list out-nat permit ip host 10.10.10.1 host 192.168.0.200
1. Again start object configuration for each IP address and then use the nat statement which will do all
translations (in/out) in one statement.
Verification
4. Lets use extended ping from 10.10.10.1 to 192.168.0.200, we will enable ‘debug ip packet’ both on Inside
and ISP router to see source and destination IP addresses.
Inside#ping
Protocol [ip]:
Target IP address: 192.168.0.200
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.200, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/48/92 ms
Inside#
Inside#
Inside#
*Mar 12 15:19:15.986: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:19:15.986: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending full
packet
*Mar 12 15:19:16.078: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, input feature, MCI
Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 15:19:16.078: IP: tableid=0, s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1 (Loopback0), routed
via RIB
*Mar 12 15:19:16.078: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, rcvd 4
*Mar 12 15:19:16.078: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, stop process pak for
forus packet
*Mar 12 15:19:16.078: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:19:16.078: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending full
packet
*Mar 12 15:19:16.098: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10
*Mar 12 15:19:16.138: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, input feature, MCI
Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 15:19:16.142: IP: tableid=0, s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1 (Loopback0),
routed via RIB
*Mar 12 15:19:16.146: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, rcvd 4
*Mar 12 15:19:16.150: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, stop process pak for
forus packet
*Mar 12 15:19:16.154: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:19:16.158: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending full
packet
*Mar 12 15:19:16.178: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, input feature
ISP#, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
As you can see above inside router thinks its pining 192.168.0.200 and reply is coming from the same IP. The
same way ISP router thinks ping request is coming from 192.168.1000.200 and is replying to same.
ISP#ping
Protocol [ip]:
Target IP address: 192.168.100.200
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 12.12.12.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.200, timeout is 2 seconds:
Packet sent with a source address of 12.12.12.1
!!!!
*Mar 12 15:25:52.686: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:25:52.690: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending full
packet
*Mar 12 15:25:52.786: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, input feature, MCI
Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 15:25:52.786: IP: tableid=0, s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1 (Loopback0),
routed via RIB
*Mar 12 15:25:52.786: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, rcvd 4
*Mar 12 15:25:52.786: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, stop process pak for
forus packet
*Mar 12 15:25:52.786: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:25:52.786: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending full
packet
*Mar 12 15:25:52.822: IP: s=192.168.100.200 (FastEther!
*Mar 12 15:25:52.870: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, input feature, MCI
Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 15:25:52.874: IP: tableid=0, s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1 (Loopback0), routed
via RIB
*Mar 12 15:25:52.878: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, rcvd 4
*Mar 12 15:25:52.882: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, stop process pak for
forus packet
*Mar 12 15:25:52.882: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:25:52.882: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending full
packet
*Mar 12 15:25:52.894: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, input feature, MCI
Check(64), rtype 0, forus FALSE, sendself FA
Inside#LSE, mtu 0, fwdchk FALSE
As you can see from the output above that Inside router is getting ping request from 192.168.0.200 and its
replying to same
Related Posts
ASA 8.3/8.4 NAT Migration Lab Guide
Cisco ASA 8.4 on GNS3
Site to Site VPN without NAT – L2L IPSec VPN
Cisco ASA Concurrent Auth Proxy Connection Limit
EIGRP Delay Settings
Share this: 0
1 ping
1. ASA 8.3/8.4 NAT Migration Lab Guide - My Tech World » My Tech World
Reply
Leave a Reply
Your email address will not be published. Required fields are marked *
Name: *
Email: *
Website:
You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym
title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite="">
<strike> <strong>
Recent Posts
Don’t span high volume traffic to
WS-X6548-GE-TX or WS-X6148-GE-TX
oversubscribed line cards
Outlook.com – Don’t change your primary
email address and how to revert back if
you already did
Best Email App for Android ICS
ASA 8.4 Upgrade Path – 8.2 to ASA 8.4
with Zero Downtime
RSPAN Configuration for Cisco 6500
Switches
Popular Posts
Sponsored Links
Categories
ASA
CME
EIGRP
GNS3
Licencing
Routing & Switching
Security
Stackwise
Tips
Uncategorized
Voice
VPN
Wireless
Archives
August 2012
June 2012
May 2012
March 2012
February 2012
January 2012
December 2011
September 2011
August 2011
June 2011
March 2011
February 2011
November 2010
October 2010
July 2010
June 2010
May 2010
Recent Comments
sonsofsound77 on Cisco ASA 8.4 on
GNS3
Mohamed Mire Shire on Outlook.com –
Don’t change your primary email address
and how to revert back if you already did
Sinchai DeLong on Cisco ASA 8.4 on
GNS3
Martin on Cisco ASA 8.4 on GNS3
Jorge on Best Email App for Android ICS
Blog Calendar
March 2012
M T W T F S S
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
« Feb May »
Meta
Log in
Entries RSS
Comments RSS
WordPress.org
Copyright
© 2012 XeruNetworks.
Return to top