«

»

Mar 06

ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.0

Main Post


http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide/

This lab is part of the series of LAB which details how migrate NAT configurations from Pre ASA 8.2 version to ASA 8.3/8.4

Lab1.0 Setup


Dynamic NAT / PAT Overload

Three devices in total,
One router representing internal networks
One ASA firewall where NAT Is configured
One external router representing ISP which will be acceessed by internal networks after being translated on the firewall.

The firewall is configured with an open ACL to allow all connections through. This is becuase we dont want to play with ACLs in this LAB but to focus on NAT. We will work with ACLs at a later stage when toplogy gets a bit complex.
The device configurations and GNS3 Topology can be downloaded from the the following link if you want it to import it for yourself.

http://www.mediafire.com/download.php?93bc24d9z76043a

NAT Policy

To start with a very basic setup, we want to
1. Configure ASA for Inside network (10.10.10.0/24) to use Dynamic NAT Interface Overload (PAT) using firewall interface IP when accessing outside networks (ISP)
2. Configure ASA for Inside network (10.10.11.0/24) to use Dynamic NAT Overload (PAT) using a public IP (In our Case 192.168.100.200)
3. Dynamic Any Overload NAT (PAT). Any remaining inside network will be translated to 192.168.100.3

Pre ASA 8.3 Configuration

Now, in good old days we would have used following configuration to  achieve our policy goals.

1.
nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 1 interface

2.
nat (inside) 2 10.10.11.0 255.255.255.0
global(outside) 2 192.168.100.200

3.
nat (inside) 3 0 0
nat (outside) 3 192.168.100.201

ASA 8.3/8.4 Configuration

1.
First thing you do is to create a network object for the subnet that you want to be translated. Along with that you include the NAT statement as following

object network Inernal-10.10.10.0
 subnet 10.10.10.0 255.255.255.0
 nat (inside,outside) dynamic interface

2.
Now to use a public IP instead of Interface IP, you do the same thing as in step 1 but just replace the interface with IP address

object network Inernal-10.10.11.0
 subnet 10.10.11.0 255.255.255.0
 nat (inside,outside) dynamic 192.168.100.200

3.
Here we will create an object for catch all, such any other IPs for whom there is no NAT translation already configured are translated

object network Inernal-0.0.0.0
 subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) dynamic 192.168.100.201

Verification

1. Use ‘show run object’ will show the objects that we created in step 1 & 2
Output:
ASA1# sh run object
object network Inernal-10.10.10.0
 subnet 10.10.10.0 255.255.255.0
object network Inernal-10.10.11.0
 subnet 10.10.11.0 255.255.255.0

object network Inernal-0.0.0.0
 subnet 0.0.0.0 0.0.0.0

2. Use ‘show run nat’ to get the NAT statements used in the running config
Output:
ASA1# sh run nat
!
object network Inernal-10.10.10.0
 nat (inside,outside) dynamic interface
object network Inernal-10.10.11.0
 nat (inside,outside) dynamic 192.168.100.200

object network Inernal-0.0.0.0
 nat (inside,outside) dynamic 192.168.100.201

3. Use ‘show nat’ to see the translations performed
Output:
ASA1# sh nat


Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Inernal-10.10.10.0 interface
    translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic Inernal-10.10.11.0 192.168.100.200
    translate_hits = 0, untranslate_hits = 0

3 (inside) to (outside) source dynamic Inernal-0.0.0.0 192.168.100.201
    translate_hits = 0, untranslate_hits = 0

Now we have verified that components are in place let start verifciation on the devices

4. On ISP router use command ‘debug ip packets’ to get an idea what IP address ISP sees when a packet hits its interface
5. Use extended ping from Internal router as following to verify the first rule. Now ISP router should see the firewall outside Interface IP (192.168.100.1) as a source of ping. However, as we configured and we know that the real source is the Loopback Interface IP on ther Inside Router.

Inside#ping
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/33/64 ms

ISP Router IP Packet Debug Output

*Feb 29 10:25:51.815: IP: tableid=0, s=192.168.100.1 (FastEthernet1
ISP#/0), d=192.168.100.2 (FastEthernet1/0), routed via RIB
*Feb 29 10:25:51.819: IP: s=192.168.100.1 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100, rcvd 3
*Feb 29 10:25:51.819: IP: s=192.168.100.1 (FastEthernet1/0), d=192.168.100.2, len 100, stop process pak for forus packet
*Feb 29 10:25:51.819: IP: s=192.168.100.2 (local), d=192.168.100.1 (FastEthernet1/0), len 100, sending
*Feb 29 10:25:51.819: IP: s=192.168.100.2 (local), d=192.168.100.1 (FastEthernet1/0), len 100, sending full packet
*Feb 29 10:25:51.839: IP: s=192.168.100.1 (FastEthernet1/0), d=192.168.100.2, len 100, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

6. Now lets try again but this time with different source IP. This time we will use Loopback 1 and it should be translated with IP 192.168.100.200. Let try that and see what ISP router thinks the packets coming from

Inside#ping
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.11.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.11.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/35/60 ms



ISP Router IP Packet Debug Output
*Feb 29 10:29:41.823: IP: tableid=0, s=192.168.100.20
ISP#0 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), routed via RIB
*Feb 29 10:29:41.823: IP: s=192.168.100.200 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100, rcvd 3
*Feb 29 10:29:41.827: IP: s=192.168.100.200 (FastEthernet1/0), d=192.168.100.2, len 100, stop process pak for forus packet
*Feb 29 10:29:41.831: IP: s=192.168.100.2 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending
*Feb 29 10:29:41.835: IP: s=192.168.100.2 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending full packet
*Feb 29 10:29:41.859: IP: s=192.168.100.200 (FastEthernet1/0), d=192.168.100.2, len 100, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

As you can see above it sees packets coming from 192.168.100.200

7. We had specific translation rules configured for two other subnets and let see what happens if we try to ping from another subnet which should be only matched by ANY nat rule on the firewall and translated to 192.168.100.201

Inside#ping
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.12.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.12.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 24/45/84 ms

*Feb 29 13:56:35.455: IP: tableid=0, s=192.168.100.201 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), routed via RIB
*Feb 29 13:56:35.455: IP: s=192.168.100.201 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100, rcvd 3
*Feb 29 13:56:35.455: IP: s=192.168.100.201 (F
ISP#astEthernet1/0), d=192.168.100.2, len 100, stop process pak for forus packet
*Feb 29 13:56:35.455: IP: s=192.168.100.2 (local), d=192.168.100.201 (FastEthernet1/0), len 100, sending
*Feb 29 13:56:35.455: IP: s=192.168.100.2 (local), d=192.168.100.201 (FastEthernet1/0), len 100, sending full packet

8. Let use the ‘show nat’ command to see if the hit count is still is same or increased

ASA1# sh nat

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Inernal-10.10.10.0 interface
    translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic Inernal-10.10.11.0 192.168.100.200
    translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic Inernal-0.0.0.0 192.168.100.201
    translate_hits = 2, untranslate_hits = 1


8 comments

1 ping

Skip to comment form

  1. peter

    @ Peter icmp is not configured as part of the global policy, so check to see if ICMP is allowed on the global policy and if not then you will need to create an object-group to allow icmp or under global policy add the inspect icmp

  2. peter taylor

    So from what i can see the ASA is translating. However only on the 10.10.10.0 subnet do i see it receiving a response on the inside router and i see the ouitside ip address of the ASA. But when i ping with a source ip of 10.10.11.1 or 12.1 i see it getting translated on the ASA and the ISP routers receives the pings but the inside router does not receiv a reply.

    If i remove the Natting i have end-to-end connectivity from the ISP router to the Loopback’s, apply the natting same thing. What is wrong with the 11.0/12.0 natting ?

    ciscoasa(config)#
    nat: translation – inside:10.10.11.1/41 to outside:172.16.1.200/1752
    nat: translation – inside:10.10.11.1/41 to outside:172.16.1.200/1752
    nat: translation – inside:10.10.11.1/41 to outside:172.16.1.200/1752

    ciscoasa(config)# sh nat

    Auto NAT Policies (Section 2)
    1 (inside) to (outside) source dynamic Internal-10.10.10.0 interface
    translate_hits = 0, untranslate_hits = 0
    2 (inside) to (outside) source dynamic internal-10.10.11.0 172.16.1.200
    translate_hits = 5, untranslate_hits = 0
    3 (inside) to (outside) source dynamic Internal-0.0.0.0 172.16.1.201
    translate_hits = 7, untranslate_hits = 0

    ISP RTR#
    *Aug 9 15:05:03.711: CEF: Try to CEF switch 150.100.1.2 from Serial1/0
    *Aug 9 15:05:03.719: IP: tableid=0, s=172.16.1.200 (Serial1/0), d=150.100.1.2 (Serial1/0), routed via RIB
    *Aug 9 15:05:03.723: IP: s=172.16.1.200 (Serial1/0), d=150.100.1.2 (Serial1/0), len 100, rcvd 3
    *Aug 9 15:05:03.727: IP: tableid=0, s=150.100.1.2 (local), d=172.16.1.200 (Serial1/0), routed via FIB
    *Aug 9 15:05:03.731: IP: s=150.100.1.2 (local), d=172.16.1.200 (Serial1/0), len 100, sending
    *Aug 9 15:05:03.767: CEF: Try to CEF switch 150.100.1.2 from Serial1/0
    *Aug 9 15:05:03.771: IP: tableid=0, s=150.100.1.1 (Serial1/0), d=150.100.1.2 (Serial1/0), routed via RIB

    Inside RTR#

    R4#ping 150.100.1.2 source 10.10.11.1

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 150.100.1.2, timeout is 2 seconds:
    Packet sent with a source address of 10.10.11.1
    …..
    Success rate is 0 percent (0/5)

    R4#ping 150.100.1.2 source 10.10.12.1

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 150.100.1.2, timeout is 2 seconds:
    Packet sent with a source address of 10.10.12.1
    …..
    Success rate is 0 percent (0/5)

    R4#ping 150.100.1.2 source 10.10.10.1

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 150.100.1.2, timeout is 2 seconds:
    Packet sent with a source address of 10.10.10.1
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 52/80/140 ms

  3. Peter

    I have configured my Asa to your config but ping does not. Actually not even hitting nat at on the Asa
    Do I have turn on nat before this works

  4. coolprat

    i would like u to help me with a doubt …whenever i try to do dynamic nat on asa 8.4 and use the command sh nat…it doesnt show the translation..whether doing static shows in translation..what could be the problem

  5. Stephen

    First I want to complement you on such a great job and all the work you have do here.
    I must be missing something here because I can't find a reference to the IP addresses on the last two object statements that you have on your ASA.  Is this just to send it to the subnet and any IP in that subnet can be used?
    object network Inernal-10.10.11.0
     subnet 10.10.11.0 255.255.255.0
     nat (inside,outside) dynamic 192.168.100.200
    object network Inernal-0.0.0.0
     subnet 0.0.0.0 0.0.0.0
     nat (inside,outside) dynamic 192.168.100.201

    1. xerunetworks

      In the following statement we are using NAT to translate any request from 11.0 subnet to use 192.168.100.200. The IP address 100.200 is taken from the public pool available on the outside interface.

      object network Inernal-10.10.11.0

       subnet 10.10.11.0 255.255.255.0

       nat (inside,outside) dynamic 192.168.100.200

      However, the following statment is saying to use 100.201 for any address other then 10.0 & 11.0, so its a catch all statement

      object network Inernal-0.0.0.0

       subnet 0.0.0.0 0.0.0.0

       nat (inside,outside) dynamic 192.168.100.201

      again 100.201 is taken from the pool of public addresses available on the outside intefrace.

  6. Jim

    After I build the configuration as per picture I start the routers and ASA and get this;
    ASA1: error from server 127.0.0.1:10525: 209-unable to start instance 'ASA1'
    Does this have something to do with my Looback Adapter?

    1. xerunetworks

      Nope, it has to do with qemu, asa is not starting properly, check your gns3 install, asa qemu options

  1. ASA 8.3/8.4 NAT Migration Lab Guide - My Tech World » My Tech World

    […] will have our labs on the following pattern Lab 1.0 – Dynamic NAT/PAT Overload Lab 1.1 – Dynamic Policy NAT Lab 1.2 – Dynamic NAT/PAT, Dynamic NAT/PAT Interface […]

Leave a Reply to coolprat Cancel reply

%d bloggers like this: