«

»

Mar 06

ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.2

Main Post

http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide/

This lab is part of the series of LAB which details how migrate NAT configurations from Pre ASA 8.2 version to ASA 8.3/8.4

Lab1.2 Setup

 

Dynamic NAT/PAT, Dynamic NAT/PAT Interface Overload, Dynamic Policy NAT/PAT Combined

Building on what we had before lets add few more subnets to the ISP router. I have also modified ASA config to add routes for these new subnets.

The device configurations and GNS3 Topology can be downloaded from the the following link if you want it to import it for yourself.

http://www.mediafire.com/download.php?8l6dgrxjj5ga18n

 

NAT Policy

1. Configure ASA for Inside subnet 10.10.12.0/24 to be translated to 30.30.30.1 when accessing subnet on DMZ router.

2. Configure ASA for DMZ network such that when any networks for which no speicfic NAT is configured, first use a range of IP addresses (192.168.100.205-210) for tranalations and if they are maxed out then use the interface IP for translation (Wouldnt be able to fully verify as maxing out tranlations isnt easy, or at least I cant do this)
3. Configure ASA for DMZ network such that when specific subnet 192.168.1.0/24 tries to Telnet ISP subnet 12.12.12.0/24 it used 192.168.100.204.

 

Pre ASA 8.3 Configuration

1.

nat (inside) 1 10.10.12.0 255.255.255.0
global (dmz) 1 30.30.30.1

 

2.
nat (dmz) 3 0.0.0.0 0.0.0.0
global (outside) 3 interface
global (outside) 3 192.168.100.205-192.168.100.210
3.
access-list POLICY-NAT-ACL-13 permit tcp 192.168.1.0 255.255.255.0 12.12.13.0 255.255.255.0 eq 23
nat (dmz) 2 access-list POLICY-NAT-ACL-12
global (outside) 2 192.168.100.204

 

ASA 8.3/8.4 Configuration

 

1. Starting with the objects again, however this is not a policy NAT so we will configure object for source subnet and include the NAT statement along with it.

 

object network Inernal-10.10.12.0
subnet 10.10.12.0 255.255.255.0
nat (inside,dmz) dynamic 30.30.30.1
2. Here we will configure NAT such that any network for which there is no translation should be translated using a range of IP addresses and if that is maxed out then use interface IP.

 

object network DMZ-Destination-192.168.100.205-192.168.100.210
range 192.168.100.205 192.168.100.210

 

object network DMZ-0.0.0.0
subnet 0.0.0.0 0.0.0.0
nat (dmz,outside) dynamic DMZ-Destination-192.168.100.205-192.168.100.210 interface
3. We are doing policy NAT which will translate on the basis of what protocol is being used and what are the source and destination subnets

 

object network DMZ-Source-192.168.1.0
subnet 192.168.1.0 255.255.255.0

 

object network DMZ-Destination-12.12.12.0
subnet 12.12.12.0 255.255.255.0

 

object network obj-192.168.100.204
host 192.168.100.204

 

object service obj-telnet
service tcp 23

 

nat (DMZ,outside) source dynamic DMZ-Source-192.168.1.0 obj-192.168.100.204 destination static DMZ-Destination-12.12.12.0 DMZ-Destination-12.12.12.0 service obj-telnet obj-telnet

 

 

 

Verification

 

1. Use the ‘show run object’ to see what objects are part of running config

 

ASA1# sh run object
object network Inernal-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network Inernal-10.10.11.0
subnet 10.10.11.0 255.255.255.0
object network Inernal-0.0.0.0
subnet 0.0.0.0 0.0.0.0
object network DMZ-Source-11.11.11.0
subnet 11.11.11.0 255.255.255.0
object network DMZ-Destination-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network obj-192.168.100.202
host 192.168.100.202
object network DMZ-Destination-192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network obj-192.168.0.202
host 192.168.0.202
object service obj-icmp
service icmp echo 0
object network Inernal-10.10.12.0
subnet 10.10.12.0 255.255.255.0
object network DMZ-Destination-12.12.12.0
subnet 12.12.12.0 255.255.255.0
object network obj-192.168.100.203
host 192.168.100.203
object service obj-telnet
service tcp destination eq telnet
object network DMZ-Source-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.100.204
host 192.168.100.204
object network DMZ-Destination-192.168.100.205-192.168.100.210
range 192.168.100.205 192.168.100.210
object network DMZ-0.0.0.0
subnet 0.0.0.0 0.0.0.0
2. Use ‘show run’ to see what are NAT statements configured

ASA1# sh run nat
nat (DMZ,outside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.100.202 destination static DMZ-Destination-192.168.100.0 DMZ-Destination-192.168.100.0
nat (DMZ,inside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.0.202 destination static DMZ-Destination-192.168.0.0 DMZ-Destination-192.168.0.0
nat (DMZ,outside) source dynamic DMZ-Source-192.168.1.0 obj-192.168.100.204 destination static DMZ-Destination-12.12.12.0 DMZ-Destination-12.12.12.0 service obj-telnet obj-telnet
!
object network Inernal-10.10.10.0
nat (inside,outside) dynamic interface
object network Inernal-10.10.11.0
nat (inside,outside) dynamic 192.168.100.200
object network Inernal-0.0.0.0
nat (inside,outside) dynamic 192.168.100.201
object network Inernal-10.10.12.0
nat (inside,DMZ) dynamic 30.30.30.1
object network DMZ-0.0.0.0
nat (DMZ,outside) dynamic DMZ-Destination-192.168.100.205-192.168.100.210 interface
3. Use ‘show nat’ command to check the hit counters and translations
ASA1# sh nat
Manual NAT Policies (Section 1)
1 (DMZ) to (outside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.100.202 destination static DMZ-Destination-192.168.100.0 DMZ-Destination-192.168.100.0
translate_hits = 0, untranslate_hits = 0
2 (DMZ) to (inside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.0.202 destination static DMZ-Destination-192.168.0.0 DMZ-Destination-192.168.0.0
translate_hits = 0, untranslate_hits = 0
3 (DMZ) to (outside) source dynamic DMZ-Source-192.168.1.0 obj-192.168.100.204 destination static DMZ-Destination-12.12.12.0 DMZ-Destination-12.12.12.0 service obj-telnet obj-telnet
translate_hits = 0, untranslate_hits = 0

 

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Inernal-10.10.10.0 interface
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic Inernal-10.10.11.0 192.168.100.200
translate_hits = 0, untranslate_hits = 0
3 (inside) to (DMZ) source dynamic Inernal-10.10.12.0 30.30.30.1
translate_hits = 0, untranslate_hits = 0
4 (DMZ) to (outside) source dynamic DMZ-0.0.0.0 DMZ-Destination-192.168.100.205-192.168.100.210 interface
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source dynamic Inernal-0.0.0.0 192.168.100.201
translate_hits = 0, untranslate_hits = 0

 

4. Ping from Inside Subnet 10.10.12.0/24 is translated as 30.30.30.1 when its tries to get DMZ network

 

Inside#ping
Protocol [ip]:
Target IP address: 11.11.11.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.12.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.12.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/40/68 ms

 

Let see what we get on the DMZ network

 

*Mar 1 14:50:24.103: IP: tableid=0, s=30.30.30.1 (FastEthernet1/0), d=11.11.11.1 (Loopback0), routed via RIB
*Mar 1 14:50:24.107: IP: s=30.30.30.1 (FastEthernet1/0), d=11.11.11.1, len 100, rcvd 4
*Mar 1 14:50:24.107: IP: s=30.30.30.1 (FastEthernet1/0), d=11.11.11.1, len 100, stop process pak for forus packet
*Mar 1 14:50:24.107: IP: s=11.11.11.1 (local), d=30.30.30.1 (FastEthernet1/0), len 100, sending
*Mar 1 14:50:24.107: IP: s=11.11.11.1 (local), d=30.30.30.1 (FastEthernet1/0), len 100, sending full packet

5. Ping from DMZ router to 12.12.12.1 and it should be matched again catch all rule for DMZ and should be translated as 192.168.100.205 which is the first IP int he range configured for DMZ.

 

DMZ#ping 12.12.12.1

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.12.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/64/96 ms
Debug IP Packets results on ISP router

 

*Mar 1 14:48:17.127: IP: tableid=0, s=192.168.100.205 (FastEthernet1/0), d=12.12.12.1 (Loopback0), routed via RIB
*Mar 1 14:48:17.131: IP: s=192.168.100.205 (FastEthernet1/0), d=12.12.12.1, len 100, rcvd 4
*Mar 1 14:48:17.135: IP: s=192.168.100.205 (FastEthernet1/0), d=12.12.12.1, len 100, stop process pak for forus packet
*Mar 1 14:48:17.139: IP: s=12.12.12.1 (local), d=192.168.100.205 (FastEthernet1/0), len 100, sending
*Mar 1 14:48:17.151: IP: s=12.12.12.1 (local), d=192.168.100.205 (FastEthernet1/0), len 100, sending full packet
*Mar 1 14:48:17.259: IP: s=192.168.100.205 (FastEthernet1/0), d=12.12.12.1, len 100, input feature, MCI Check(64), rtype 0, forus FALSE,

 

6. Now lets try to telnet from DMZ router to 12.12.12.1.

 

DMZ#telnet 12.12.12.1
Trying 12.12.12.1 … Open
Password required, but none set

 

[Connection to 12.12.12.1 closed by foreign host]
Thats fine, at least it tried to make a connection. Let see what IP address DMZ thinks this request is coming from.

 

*Mar 1 14:53:34.535: IP: tableid=0, s=192.168.100.204 (FastEthernet1/0), d=12.12.12.1 (Loopback0), routed via RIB
*Mar 1 14:53:34.539: IP: s=192.168.100.204 (FastEthernet1/0), d=12.12.12.1, len 40, rcvd 4
*Mar 1 14:53:34.543: IP: s=192.168.100.204 (FastEthernet1/0), d=12.12.12.1, len 40, stop process pak for forus packet
*Mar 1 14:53:34.547: IP: s=12.12.12.1 (local), d=192.168.100.204 (FastEthernet1/0), len 40, sending
*Mar 1 14:53:34.551: IP: s=12.12.12.1 (local), d=192.168.100.204 (FastEthernet1/0), len 40, sending full packet

 

 

 

 


1 ping

  1. ASA 8.3/8.4 NAT Migration Lab Guide » My Tech World

    […] We will have our labs on the following pattern Lab 1.0 – Dynamic NAT/PAT Overload Lab 1.1 – Dynamic Policy NAT Lab 1.2 – Dynamic NAT/PAT, Dynamic NAT/PAT Interface Overload, […]

Leave a Reply

%d bloggers like this: