ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.1
This
lab is part of the series of LAB which details how migrate NAT configurations
from Pre ASA 8.2 version to ASA 8.3/8.4
Lab1.1 Setup
Lab1.1 Setup
Dynamic
Policy NAT / PAT
Building
on what we had before lets add one more router to the picture and consider this
as DMZ. We will also configure policy NAT for DMZ subnet such that it chooses a
different IP address based on the destination.
The
device configurations and GNS3 Topology can be downloaded from the the
following link if you want it to import it for yourself.
NAT Policy
1. Configure ASA for DMZ network such that when subnet 11.11.11.0/24
tries to ping ISP router it uses a public address 192.168.100.202.
2. Configure ASA for DMZ network such that when subnet 11.11.11.0/24 tries to ping Inside router it uses IP address 192.168.0.202
2. Configure ASA for DMZ network such that when subnet 11.11.11.0/24 tries to ping Inside router it uses IP address 192.168.0.202
Pre ASA 8.3 Configuration
access-list
POLICY-NAT-ACL-11 permit ip 11.11.11.0 255.255.255.0 192.168.0. 255.255.255.0
access-list POLICY-NAT-ACL-11 permit ip 11.11.11.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list POLICY-NAT-ACL-11 permit ip 11.11.11.0 255.255.255.0 192.168.100.0 255.255.255.0
nat
(dmz) 1 access-list POLICY-NAT-ACL-11
global (outside) 1 192.168.100.202
global (inside) 1 192.168.0.202
global (outside) 1 192.168.100.202
global (inside) 1 192.168.0.202
ASA 8.3/8.4 Configuration
1. First
we need to create network objects for source subnet. Then we need to create
object for destination subnet and finally we need to create to objects for
addresses which will be used for translation. So, lets start with 11.11.11.0/24
object
network DMZ-Source-11.11.11.0
subnet 11.11.11.0 255.255.255.0
subnet 11.11.11.0 255.255.255.0
object
network DMZ-Destination-192.168.100.0
subnet 192.168.100.0 255.255.255.0
subnet 192.168.100.0 255.255.255.0
object
network obj-192.168.100.202
host 192.168.100.202
host 192.168.100.202
2. We
use the following NAT statement such that NAT is performed if subnet 11.11.11.0
tries to access ISP.
nat
(dmz,outside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.100.202
destination static DMZ-Destination-192.168.100.0 DMZ-Destination-192.168.100.0
3. Now
becuase the source subnet is going to remain the remain, we just need a new
object to define the NAT address and destination subnet
object
network DMZ-Destination-192.168.0.0
subnet 192.168.0.0 255.255.255.0
subnet 192.168.0.0 255.255.255.0
object
network obj-192.168.0.202
host 192.168.0.202
host 192.168.0.202
4. Here
is the NAT statement for subnet 11.11.11.0/24 when it tried to access subnets
on the Inside router.
nat
(dmz,inside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.0.202
destination static DMZ-Destination-192.168.0.0 DMZ-Destination-192.168.0.0
Verification
1. Use
'show run object' will show the objects that we created in step 1 & 3
Output:
ASA1# sh run object
object network Inernal-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network Inernal-10.10.11.0
subnet 10.10.11.0 255.255.255.0
object network Inernal-0.0.0.0
subnet 0.0.0.0 0.0.0.0
object network DMZ-Source-11.11.11.0
subnet 11.11.11.0 255.255.255.0
object network DMZ-Destination-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network obj-192.168.100.202
host 192.168.100.202
object network DMZ-Destination-192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network obj-192.168.0.202
host 192.168.0.202
Output:
ASA1# sh run object
object network Inernal-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network Inernal-10.10.11.0
subnet 10.10.11.0 255.255.255.0
object network Inernal-0.0.0.0
subnet 0.0.0.0 0.0.0.0
object network DMZ-Source-11.11.11.0
subnet 11.11.11.0 255.255.255.0
object network DMZ-Destination-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network obj-192.168.100.202
host 192.168.100.202
object network DMZ-Destination-192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network obj-192.168.0.202
host 192.168.0.202
2. Use
'show run nat' to get the NAT statements used in the running config
ASA1# sh run nat
nat (DMZ,outside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.100.202 destination static DMZ-Destination-192.168.100.0 DMZ-Destination-192.168.100.0
nat (DMZ,inside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.0.202 destination static DMZ-Destination-192.168.0.0 DMZ-Destination-192.168.0.0
!
object network Inernal-10.10.10.0
nat (inside,outside) dynamic interface
object network Inernal-10.10.11.0
nat (inside,outside) dynamic 192.168.100.200
object network Inernal-0.0.0.0
nat (inside,outside) dynamic 192.168.100.201
ASA1# sh run nat
nat (DMZ,outside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.100.202 destination static DMZ-Destination-192.168.100.0 DMZ-Destination-192.168.100.0
nat (DMZ,inside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.0.202 destination static DMZ-Destination-192.168.0.0 DMZ-Destination-192.168.0.0
!
object network Inernal-10.10.10.0
nat (inside,outside) dynamic interface
object network Inernal-10.10.11.0
nat (inside,outside) dynamic 192.168.100.200
object network Inernal-0.0.0.0
nat (inside,outside) dynamic 192.168.100.201
3. Use
'show nat' to see the translations performed
ASA1# sh nat
Manual NAT Policies (Section 1)
1 (DMZ) to (outside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.100.202 destination static DMZ-Destination-192.168.100.0 DMZ-Destination-192.168.100.0
translate_hits = 0, untranslate_hits = 0
2 (DMZ) to (inside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.0.202 destination static DMZ-Destination-192.168.0.0 DMZ-Destination-192.168.0.0
translate_hits = 0, untranslate_hits = 0
ASA1# sh nat
Manual NAT Policies (Section 1)
1 (DMZ) to (outside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.100.202 destination static DMZ-Destination-192.168.100.0 DMZ-Destination-192.168.100.0
translate_hits = 0, untranslate_hits = 0
2 (DMZ) to (inside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.0.202 destination static DMZ-Destination-192.168.0.0 DMZ-Destination-192.168.0.0
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section
2)
1 (inside) to (outside) source dynamic Inernal-10.10.10.0 interface
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic Inernal-10.10.11.0 192.168.100.200
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic Inernal-0.0.0.0 192.168.100.201
translate_hits = 0, untranslate_hits = 0
1 (inside) to (outside) source dynamic Inernal-10.10.10.0 interface
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic Inernal-10.10.11.0 192.168.100.200
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic Inernal-0.0.0.0 192.168.100.201
translate_hits = 0, untranslate_hits = 0
Now
we have verified that components are in place let start verifciation on the
devices
4. On
ISP router use command 'debug ip packets' to get an idea what IP address ISP
sees when a packet hits its interface
5. Use extended ping from DMZ router as following to verify the first rule. Now ISP router should see the IP (192.168.100.202) as a source of ping. However, as we configured and we know that the real source is the Loopback0 Interface IP on ther DMZ Router.
5. Use extended ping from DMZ router as following to verify the first rule. Now ISP router should see the IP (192.168.100.202) as a source of ping. However, as we configured and we know that the real source is the Loopback0 Interface IP on ther DMZ Router.
DMZ#ping
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 11.11.11.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/36/72 ms
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 11.11.11.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/36/72 ms
ISP
Router IP Packet Debug Output
*Mar 1 08:50:44.227:
IP: tableid=0, s=192.168.100.202 (FastEthernet1/0), d=192.168.100.2
(FastEthernet1/0), routed via RIB
*Mar 1 08:50:44.227: IP: s=192.168.100.202 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100, rcvd 3
*Mar 1 08:50:44.231: IP: s=192.168.100.202 (FastEthernet1/0), d=192.168.100.2, len 100, stop process pak for forus packet
*Mar 1 08:50:44.231: IP: s=192.168.100.2 (local), d=192.168.100.202 (FastEthernet1/0), len 100, sending
*Mar 1 08:50:44.231: IP: s=192.168.100.2 (local)
ISP#, d=192.168.100.202 (FastEthernet1/0), len 100, sending full packet
*Mar 1 08:50:44.227: IP: s=192.168.100.202 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100, rcvd 3
*Mar 1 08:50:44.231: IP: s=192.168.100.202 (FastEthernet1/0), d=192.168.100.2, len 100, stop process pak for forus packet
*Mar 1 08:50:44.231: IP: s=192.168.100.2 (local), d=192.168.100.202 (FastEthernet1/0), len 100, sending
*Mar 1 08:50:44.231: IP: s=192.168.100.2 (local)
ISP#, d=192.168.100.202 (FastEthernet1/0), len 100, sending full packet
6. Now
lets try again but this time with different destinatio IP. This time we will
use Loopback0 to ping Inside Router interface and it should be translated with
IP 192.168.0.2002. Let try that and see what Iinside router thinks the packets
coming from
DMZ#ping
Protocol [ip]:
Target IP address: 192.168.0.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 11.11.11.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/32/72 ms
Protocol [ip]:
Target IP address: 192.168.0.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 11.11.11.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/32/72 ms
Inside
Router IP Packet Debug Output
*Mar 1 08:53:05.867: IP: tableid=0, s=192.168.0.202 (FastEthernet1/0), d=192.168.0.2 (FastEthernet1/0), routed via RIB
*Mar 1 08:53:05.867: IP: s=192.168.0.202 (FastEthernet1/0), d=192.168.0.2 (FastEthernet1/0), len 100, rcvd 3
*Mar 1 08:53:05.867: IP: s=192.168.0.202 (FastEthernet1/0), d=192.168.0.2, len 100, stop process pak for
*Mar 1 08:53:05.867: IP: tableid=0, s=192.168.0.202 (FastEthernet1/0), d=192.168.0.2 (FastEthernet1/0), routed via RIB
*Mar 1 08:53:05.867: IP: s=192.168.0.202 (FastEthernet1/0), d=192.168.0.2 (FastEthernet1/0), len 100, rcvd 3
*Mar 1 08:53:05.867: IP: s=192.168.0.202 (FastEthernet1/0), d=192.168.0.2, len 100, stop process pak for
8. Let
use the 'show nat' command to see if the hit count is still is same or
increased
Manual NAT Policies
(Section 1)
1 (DMZ) to (outside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.100.202 destination static DMZ-Destination-192.168.100.0 DMZ-Destination-192.168.100.0
translate_hits = 2, untranslate_hits = 2
2 (DMZ) to (inside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.0.202 destination static DMZ-Destination-192.168.0.0 DMZ-Destination-192.168.0.0
translate_hits = 1, untranslate_hits = 1
1 (DMZ) to (outside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.100.202 destination static DMZ-Destination-192.168.100.0 DMZ-Destination-192.168.100.0
translate_hits = 2, untranslate_hits = 2
2 (DMZ) to (inside) source dynamic DMZ-Source-11.11.11.0 obj-192.168.0.202 destination static DMZ-Destination-192.168.0.0 DMZ-Destination-192.168.0.0
translate_hits = 1, untranslate_hits = 1
Auto NAT Policies (Section
2)
1 (inside) to (outside) source dynamic Inernal-10.10.10.0 interface
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic Inernal-10.10.11.0 192.168.100.200
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic Inernal-0.0.0.0 192.168.100.201
translate_hits = 0, untranslate_hits = 0
1 (inside) to (outside) source dynamic Inernal-10.10.10.0 interface
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic Inernal-10.10.11.0 192.168.100.200
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic Inernal-0.0.0.0 192.168.100.201
translate_hits = 0, untranslate_hits = 0
So,
this lab ends with successfull implementation of policy NAT where we
demonstrated that NAT is performed based on the source and destination IP
address.
This comment has been removed by the author.
ReplyDeleteHi tlan12. Thank you very much for all lab.
ReplyDeletei want config Squid Proxy authenticate with Windows Domain.
You can help me ?
thanks.