ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.0
Dynamic NAT / PAT Overload
One router representing internal networks
One ASA firewall where NAT Is configured
One external router representing ISP which will be acceessed by internal networks after being translated on the firewall.
The firewall is configured with an open ACL to allow all connections through. This is becuase we dont want to play with ACLs in this LAB but to focus on NAT. We will work with ACLs at a later stage when toplogy gets a bit complex.
The device configurations and GNS3 Topology can be downloaded from the the following link if you want it to import it for yourself.
NAT Policy
To start with a very basic setup, we want to
1. Configure ASA for Inside network (10.10.10.0/24) to use Dynamic NAT Interface Overload (PAT) using firewall interface IP when accessing outside networks (ISP)
2. Configure ASA for Inside network (10.10.11.0/24) to use Dynamic NAT Overload (PAT) using a public IP (In our Case 192.168.100.200)
3. Dynamic Any Overload NAT (PAT). Any remaining inside network will be translated to 192.168.100.3
1. Configure ASA for Inside network (10.10.10.0/24) to use Dynamic NAT Interface Overload (PAT) using firewall interface IP when accessing outside networks (ISP)
2. Configure ASA for Inside network (10.10.11.0/24) to use Dynamic NAT Overload (PAT) using a public IP (In our Case 192.168.100.200)
3. Dynamic Any Overload NAT (PAT). Any remaining inside network will be translated to 192.168.100.3
Pre ASA 8.3 Configuration
Now, in good old days we would have used following configuration to
achieve our policy goals.
1.nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 1 interface
global (outside) 1 interface
2.nat (inside) 2 10.10.11.0 255.255.255.0
global(outside) 2 192.168.100.200
global(outside) 2 192.168.100.200
3.nat (inside) 3 0 0
nat (outside) 3 192.168.100.201
nat (outside) 3 192.168.100.201
ASA 8.3/8.4 Configuration
1.First thing you do is to create a network object for the subnet that you
want to be translated. Along with that you include the NAT statement as
following
object network Inernal-10.10.10.0
subnet 10.10.10.0 255.255.255.0
nat (inside,outside) dynamic interface
subnet 10.10.10.0 255.255.255.0
nat (inside,outside) dynamic interface
2.Now to use a public IP instead of Interface IP, you do the same thing as
in step 1 but just replace the interface with IP address
object network Inernal-10.10.11.0
subnet 10.10.11.0 255.255.255.0
nat (inside,outside) dynamic 192.168.100.200
subnet 10.10.11.0 255.255.255.0
nat (inside,outside) dynamic 192.168.100.200
3.Here we will create an object for catch all, such any other IPs for whom
there is no NAT translation already configured are translated
object network Inernal-0.0.0.0
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic 192.168.100.201
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic 192.168.100.201
Verification
1. Use ‘show run object’ will show the objects that we created in
step 1 & 2
Output:
ASA1# sh run object
object network Inernal-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network Inernal-10.10.11.0
subnet 10.10.11.0 255.255.255.0
Output:
ASA1# sh run object
object network Inernal-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network Inernal-10.10.11.0
subnet 10.10.11.0 255.255.255.0
object network Inernal-0.0.0.0
subnet 0.0.0.0 0.0.0.0
subnet 0.0.0.0 0.0.0.0
2. Use ‘show run nat’ to get the NAT statements used in the running
config
Output:
ASA1# sh run nat
!
object network Inernal-10.10.10.0
nat (inside,outside) dynamic interface
object network Inernal-10.10.11.0
nat (inside,outside) dynamic 192.168.100.200
Output:
ASA1# sh run nat
!
object network Inernal-10.10.10.0
nat (inside,outside) dynamic interface
object network Inernal-10.10.11.0
nat (inside,outside) dynamic 192.168.100.200
object network Inernal-0.0.0.0
nat (inside,outside) dynamic 192.168.100.201
nat (inside,outside) dynamic 192.168.100.201
3. Use ‘show nat’ to see the translations performed
ASA1# sh nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Inernal-10.10.10.0 interface
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic Inernal-10.10.11.0 192.168.100.200
translate_hits = 0, untranslate_hits = 0
ASA1# sh nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Inernal-10.10.10.0 interface
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic Inernal-10.10.11.0 192.168.100.200
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic
Inernal-0.0.0.0 192.168.100.201
translate_hits = 0, untranslate_hits = 0
translate_hits = 0, untranslate_hits = 0
Now we have verified that components are in place let start verifciation
on the devices
4. On ISP router use command ‘debug ip packets’ to get an idea what
IP address ISP sees when a packet hits its interface
5. Use extended ping from Internal router as following to verify the first rule. Now ISP router should see the firewall outside Interface IP (192.168.100.1) as a source of ping. However, as we configured and we know that the real source is the Loopback Interface IP on the Inside Router.
5. Use extended ping from Internal router as following to verify the first rule. Now ISP router should see the firewall outside Interface IP (192.168.100.1) as a source of ping. However, as we configured and we know that the real source is the Loopback Interface IP on the Inside Router.
Inside#ping
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/33/64 ms
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/33/64 ms
ISP Router IP Packet Debug Output
*Feb 29 10:25:51.815: IP: tableid=0,
s=192.168.100.1 (FastEthernet1
ISP#/0), d=192.168.100.2 (FastEthernet1/0), routed via RIB
*Feb 29 10:25:51.819: IP: s=192.168.100.1 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100, rcvd 3
*Feb 29 10:25:51.819: IP: s=192.168.100.1 (FastEthernet1/0), d=192.168.100.2, len 100, stop process pak for forus packet
*Feb 29 10:25:51.819: IP: s=192.168.100.2 (local), d=192.168.100.1 (FastEthernet1/0), len 100, sending
*Feb 29 10:25:51.819: IP: s=192.168.100.2 (local), d=192.168.100.1 (FastEthernet1/0), len 100, sending full packet
*Feb 29 10:25:51.839: IP: s=192.168.100.1 (FastEthernet1/0), d=192.168.100.2, len 100, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
ISP#/0), d=192.168.100.2 (FastEthernet1/0), routed via RIB
*Feb 29 10:25:51.819: IP: s=192.168.100.1 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100, rcvd 3
*Feb 29 10:25:51.819: IP: s=192.168.100.1 (FastEthernet1/0), d=192.168.100.2, len 100, stop process pak for forus packet
*Feb 29 10:25:51.819: IP: s=192.168.100.2 (local), d=192.168.100.1 (FastEthernet1/0), len 100, sending
*Feb 29 10:25:51.819: IP: s=192.168.100.2 (local), d=192.168.100.1 (FastEthernet1/0), len 100, sending full packet
*Feb 29 10:25:51.839: IP: s=192.168.100.1 (FastEthernet1/0), d=192.168.100.2, len 100, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
6. Now lets try again but this time with different source IP. This
time we will use Loopback 1 and it should be translated with IP
192.168.100.200. Let try that and see what ISP router thinks the packets coming
from
Inside#ping
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.11.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.11.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/35/60 ms
ISP Router IP Packet Debug Output
*Feb 29 10:29:41.823: IP: tableid=0, s=192.168.100.20
ISP#0 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), routed via RIB
*Feb 29 10:29:41.823: IP: s=192.168.100.200 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100, rcvd 3
*Feb 29 10:29:41.827: IP: s=192.168.100.200 (FastEthernet1/0), d=192.168.100.2, len 100, stop process pak for forus packet
*Feb 29 10:29:41.831: IP: s=192.168.100.2 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending
*Feb 29 10:29:41.835: IP: s=192.168.100.2 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending full packet
*Feb 29 10:29:41.859: IP: s=192.168.100.200 (FastEthernet1/0), d=192.168.100.2, len 100, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.11.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.11.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/35/60 ms
ISP Router IP Packet Debug Output
*Feb 29 10:29:41.823: IP: tableid=0, s=192.168.100.20
ISP#0 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), routed via RIB
*Feb 29 10:29:41.823: IP: s=192.168.100.200 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100, rcvd 3
*Feb 29 10:29:41.827: IP: s=192.168.100.200 (FastEthernet1/0), d=192.168.100.2, len 100, stop process pak for forus packet
*Feb 29 10:29:41.831: IP: s=192.168.100.2 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending
*Feb 29 10:29:41.835: IP: s=192.168.100.2 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending full packet
*Feb 29 10:29:41.859: IP: s=192.168.100.200 (FastEthernet1/0), d=192.168.100.2, len 100, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
As you can see above it sees packets coming from 192.168.100.200
7. We had specific translation rules configured for two other subnets
and let see what happens if we try to ping from another subnet which should be
only matched by ANY nat rule on the firewall and translated to 192.168.100.201
Inside#ping
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.12.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.12.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 24/45/84 ms
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.12.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.12.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 24/45/84 ms
*Feb 29 13:56:35.455: IP: tableid=0, s=192.168.100.201 (FastEthernet1/0),
d=192.168.100.2 (FastEthernet1/0), routed via RIB
*Feb 29 13:56:35.455: IP: s=192.168.100.201 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100, rcvd 3
*Feb 29 13:56:35.455: IP: s=192.168.100.201 (F
ISP#astEthernet1/0), d=192.168.100.2, len 100, stop process pak for forus packet
*Feb 29 13:56:35.455: IP: s=192.168.100.2 (local), d=192.168.100.201 (FastEthernet1/0), len 100, sending
*Feb 29 13:56:35.455: IP: s=192.168.100.2 (local), d=192.168.100.201 (FastEthernet1/0), len 100, sending full packet
*Feb 29 13:56:35.455: IP: s=192.168.100.201 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100, rcvd 3
*Feb 29 13:56:35.455: IP: s=192.168.100.201 (F
ISP#astEthernet1/0), d=192.168.100.2, len 100, stop process pak for forus packet
*Feb 29 13:56:35.455: IP: s=192.168.100.2 (local), d=192.168.100.201 (FastEthernet1/0), len 100, sending
*Feb 29 13:56:35.455: IP: s=192.168.100.2 (local), d=192.168.100.201 (FastEthernet1/0), len 100, sending full packet
8. Let
use the ‘show nat’ command to see if the hit count is still is same or
increased
ASA1# sh nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Inernal-10.10.10.0 interface
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic Inernal-10.10.11.0 192.168.100.200
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic Inernal-0.0.0.0 192.168.100.201
translate_hits = 2, untranslate_hits = 1
1 (inside) to (outside) source dynamic Inernal-10.10.10.0 interface
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic Inernal-10.10.11.0 192.168.100.200
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic Inernal-0.0.0.0 192.168.100.201
translate_hits = 2, untranslate_hits = 1
No comments:
Post a Comment