«

»

Mar 06

ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.3

Main Post


http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide/

This lab is part of the series of LAB which details how migrate NAT configurations from Pre ASA 8.2 version to ASA 8.3/8.4


Lab1.3 Setup

Static NAT, Static Policy NAT, Staic NAT with Port Translation, Many to Many Static NAT

Building on what we had before (Lab 1.2) lets add few more subnets to the Inside router. I have also modified ASA config to add routes for these new subnets. ISP router is also modified to add route for 14.14.0.0/16 pointing to firewall (its used in NAT Policy Requirement 4)

The device configurations and GNS3 Topology can be downloaded from the the following link if you want it to import it for yourself.

http://www.mediafire.com/download.php?bw707i723qao62y

NAT Policy

1. Configure ASA for Inside address 13.13.13.1 to be mapped to 192.168.100.205 such any connection requests to 192.168.100.205 are answered by 13.13.13.1
2. Configure ASA for Inside address 13.13.13.1 to be tranlated to 192.168.100.206 when it tries to access 12.12.12.1
3. Configure ASA for Inside address 13.13.14.1 Port 80 to be mapped as 192.168.100.207 Port 80. When someone from outside tries to access 192.168.100.207 port 80 it will be answered by 13.13.14.1 Port 80.
4. Configure a Pool IP Address to be mapped to a Pool of IP addresses of exactly same size. This will make sure that there source pool host IP will be mapped to same host address. Say for example 13.13.15.1 will be matched with 14.14.14.1 and 13.13.15.2 will be matched with 14.14.14.2 and so on.

Pre ASA 8.3 Configuration

1.
static (inside,outside) 192.168.100.205 13.13.13.1 netmask 255.255.255.255

2.
access-list policy-nat permit ip host 13.13.13.1 host 12.12.12.1
static (inside,outside) 192.168.100.206 access-list policy-nat

3.
static (inside,outside) tcp 192.168.100.207 80 13.13.14.1 80 netmask 255.255.255.255

4.
static (inside,outside) 14.14.14.0 13.13.15.0 netmask 255.255.255.0

ASA 8.3/8.4 Configuration

1. Simple enough for static mapping, we create an object for the Source IP and add nat statement in the same.

object network obj-13.13.13.1
host 13.13.13.1
nat (inside,outside) static 192.168.100.205

2. Same to play with objects, one for each source, destination and mapped addresses. Object for 13.13.13.1 is already defined, so lets reuse it.

object network obj-192.168.100.206
host 192.168.100.206

object network obj-12.12.12.1
host 12.12.12.1

nat (inside,outside) source static obj-13.13.13.1 obj-192.168.100.206 destination static obj-12.12.12.1 obj-12.12.12.1

3. Again same to start with Object for 13.13.14.1 and add nat statement to it

object network obj-13.13.14.1
host 13.13.14.1
nat (inside,outside) static 192.168.100.207 service tcp www www

4. Here we will define object again and then a mappig

object network obj-13.13.15.0
subnet 13.13.15.0 255.255.255.0

nat (inside,outside) static 14.14.14.0

Verification:

1. Use ‘show run object’ to see what objects are part of running config. I have just included the relevant objects in the output

ASA1# sh run object
—–Output Omited————
object network obj-13.13.13.1
 host 13.13.13.1
object network obj-192.168.100.206
 host 192.168.100.206
object network obj-12.12.12.1
 host 12.12.12.1
object network obj-13.13.14.1
 host 13.13.14.1
object network obj-13.13.15.0
 subnet 13.13.15.0 255.255.255.0

 2. Use ‘show run nat’ to see what NAT statements are configured.

 ASA1# sh run nat
——Output Omited———–
nat (inside,outside) source static obj-13.13.13.1 obj-192.168.100.206 destination static obj-12.12.12.1 obj-12.12.12.1
——Output Omited———–
object network obj-13.13.13.1
 nat (inside,outside) static 192.168.100.205
object network obj-13.13.14.1
 nat (inside,outside) static 192.168.100.207 service tcp www www
object network obj-13.13.15.0
 nat (inside,outside) static 14.14.14.0

 3. Use ‘Show nat’ command to see what nat translations are in use and hits againt them

 ASA1# sh nat
——Output Omited———–
4 (inside) to (outside) source static obj-13.13.13.1 obj-192.168.100.206   destination static obj-12.12.12.1 obj-12.12.12.1
    translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static obj-13.13.13.1 192.168.100.205
    translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static obj-13.13.14.1 192.168.100.207   service tcp www www
    translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static obj-13.13.15.0 14.14.14.0
    translate_hits = 0, untranslate_hits = 0
——Output Omited———–

4. To verify NAT policy 1, Ping from ISP router to 192.168.100.205, it should be tranlated to 13.13.13.1 when it hits the Inside router.

ISP#ping 192.168.100.205


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.205, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/43/100 ms


*Mar  6 13:57:44.223: IP: tableid=0, s=192.168.100.2 (FastEthernet1/0), d=13.13.13.1 (Loopback13), routed via RIB
*Mar  6 13:57:44.227: IP: s=192.168.100.2 (FastEthernet1/0), d=13.13.13.1, len 100, rcvd 4
*Mar  6 13:57:44.231: IP: s=192.168.100.2 (FastEthernet1/0), d=13.13.13.1, len 100, stop process pak for forus packet
*Mar  6 13:57:44.235: IP: s=13.13.13.1 (local), d=192.168.100.2 (FastEthernet1/0), len 100, sending
*Mar  6 13:57:44.235: IP: s=13.13.13.1 (local), d=192.168.100.2 (FastEthernet1/0), len 100, sending full packet
*Mar  6 13:57:44.243: IP: s=192.168.100.2 (FastEthernet1/0), d=13.13.13.1, len 100, input feature, MCI Check(64), rtype 0, forus FALSE, sendsel
Inside#f FALSE, mtu 0, fwdchk FALSE

5. To Verify NAT Policy Item 2, use extended ping from Inside Router using source IP address 13.13.13.1 and destination as 12.12.12.1. However on ISP rotuer is should see packets coming from mapped IP 192.168.100.206

Inside#ping
Protocol [ip]:
Target IP address: 12.12.12.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 13.13.13.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.12.12.1, timeout is 2 seconds:
Packet sent with a source address of 13.13.13.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/39/112 ms

*Mar  6 14:43:50.494: IP: tableid=0, s=192.168.100.206 (FastEthernet1/0), d=12.12.12.1 (Loopback0), routed via RIB
*Mar  6 14:43:50.498: IP: s=192.168.100.206 (FastEthernet1/0), d=12.12.12.1, len 100, rcvd 4
*Mar  6 14:43:50.498: IP: s=192.168.100.206 (FastEthernet1/0), d=12.12.12.1, len 100, stop process pak for forus packet
*Mar  6 14:43:50.498: IP: s=12.12.12.1 (local), d=192.168.100.206 (FastEthernet1/0), len 100, sending
*Mar  6 14:43:50.498: IP: s=12.12.12.1 (local), d=192.168.100.206 (FastEthernet1/0), len 100, sending full packet
*Mar  6 14:43:50.510: IP: s=192.168.100.206 (FastEthernet1/0), d=12.12.12.1, len 100, input feature
ISP#, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

6. To Verify NAT Policy 3. We are not doing any tests I am using routers as source and cant use Browser on these.

7. To Verify NAT Policy 4. Use extended ping from Inside router with source 13.13.15.1 to ISP router and it should be translated to 14.14.14.1. Now change the IP of looback interface from 13.13.15.1 to 13.13.15.2 and the extended ping again, this time it should be translated to 14.14.14.2.

Inside#ping
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 13.13.15.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 13.13.15.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/28/72 ms

On ISP Router

*Mar  6 19:18:56.119: IP: tableid=0, s=14.14.14.1 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), routed via RIB
*Mar  6 19:18:56.119: IP: s=14.14.14.1 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100, rcvd 3
*Mar  6 19:18:56.119: IP: s=14.14.14.1 (FastEthernet1/0), d=192.168.100.2, len 100, stop process pak for forus packet
*Mar  6 19:18:56.119: IP: s=192.168.100.2 (local), d=14.14.14.1 (FastEthernet1/0), len 100, sending
*Mar  6 19:18:56.119: IP: s=192.168.100.2 (local), d=14.14.14.1 (FastEthernet1/0), len 100, sending full packet

Try again with 13.13.15.2

Inside#ping
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 13.13.15.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 13.13.15.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/30/60 ms

*Mar  6 19:20:21.279: IP: s=14.14.14.2 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100, rcvd 3
*Mar  6 19:20:21.279: IP: s=14.14.14.2 (FastEthernet1/0), d=192.168.100.2, len 100, stop process pak for forus packet
*Mar  6 19:20:21.279: IP: s=192.168.100.2 (local), d=14.14.14.2 (FastEthernet1/0), len 100, sending
*Mar  6 19:20:21.279: IP: s=192.168.100.2 (local), d=14.14.14.2 (FastEthernet1/0), len 100, sending full packet
*Mar  6 19:20:21.299: IP: s=14.14.14.2 (FastEtherne

1 ping

  1. ASA 8.3/8.4 NAT Migration Lab Guide - My Tech World » My Tech World

    […] LAB 1.3 – Static NAT, Static Policy NAT, Staic NAT with Port Translation, Many to Many Static … […]

Leave a Reply

%d bloggers like this: