Sie sind auf Seite 1von 7

11/9/2014 ASA 8.3 / 8.4 Static NAT Migration Lab Guide - Lab 1.

3 - My Tech World
http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide-lab-13/ 1/7

Search Search
XeruNetworks
Its all about networks
GNS3
Security
ASA
VPN
Routing & Switching
EIGRP
Stackwise
Tips
Voice
Call Manager
CME
Licencing
Wireless

ASA 8.3/8.4 NAT Migration Lab Guide Lab 1.2
ASA 8.3 / 8.4 Double NAT / Source Destination NAT Migration Lab Guide Lab 1.4
Mar 06
ASA 8.3/8.4 NAT Migration Lab Guide Lab 1.3
Categories:
ASA, GNS3, Security
by malikyounas
Main Post
http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide/
This lab is part of the series of LAB which details how migrate NAT configurations
from Pre ASA 8.2 version to ASA 8.3/8.4
Lab1.3 Setup
Static NAT, Static Policy NAT, Staic NAT with Port Translation,
Many to Many Static NAT
Building on what we had before (Lab 1.2) lets add few more subnets to the Inside router. I have also modified ASA
config to add routes for these new subnets. ISP router is also modified to add route for 14.14.0.0/16 pointing to firewall
(its used in NAT Policy Requirement 4)
The device configurations and GNS3 Topology can be downloaded from the the following link if you want it to import it
for yourself.
http://www.mediafire.com/download.php?bw707i723qao62y
11/9/2014 ASA 8.3 / 8.4 Static NAT Migration Lab Guide - Lab 1.3 - My Tech World
http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide-lab-13/ 2/7
NAT Policy
1. Configure ASA for Inside address 13.13.13.1 to be mapped to 192.168.100.205 such any connection requests to
192.168.100.205 are answered by 13.13.13.1
2. Configure ASA for Inside address 13.13.13.1 to be tranlated to 192.168.100.206 when it tries to access 12.12.12.1
3. Configure ASA for Inside address 13.13.14.1 Port 80 to be mapped as 192.168.100.207 Port 80. When someone
from outside tries to access 192.168.100.207 port 80 it will be answered by 13.13.14.1 Port 80.
4. Configure a Pool IP Address to be mapped to a Pool of IP addresses of exactly same size. This will make sure that
there source pool host IP will be mapped to same host address. Say for example 13.13.15.1 will be matched with
14.14.14.1 and 13.13.15.2 will be matched with 14.14.14.2 and so on.
Pre ASA 8.3 Configuration
1.
static (inside,outside) 192.168.100.205 13.13.13.1 netmask 255.255.255.255
2.
access-list policy-nat permit ip host 13.13.13.1 host 12.12.12.1
static (inside,outside) 192.168.100.206 access-list policy-nat
3.
static (inside,outside) tcp 192.168.100.207 80 13.13.14.1 80 netmask 255.255.255.255
4.
static (inside,outside) 14.14.14.0 13.13.15.0 netmask 255.255.255.0
ASA 8.3/8.4 Configuration
1. Simple enough for static mapping, we create an object for the Source IP and add nat statement in the same.
object network obj-13.13.13.1
host 13.13.13.1
nat (inside,outside) static 192.168.100.205
2. Same to play with objects, one for each source, destination and mapped addresses. Object for 13.13.13.1 is already
defined, so lets reuse it.
object network obj-192.168.100.206
host 192.168.100.206
object network obj-12.12.12.1
host 12.12.12.1
nat (inside,outside) source static obj-13.13.13.1 obj-192.168.100.206 destination static obj-12.12.12.1 obj-
12.12.12.1
3. Again same to start with Object for 13.13.14.1 and add nat statement to it
object network obj-13.13.14.1
host 13.13.14.1
nat (inside,outside) static 192.168.100.207 service tcp www www
4. Here we will define object again and then a mappig
object network obj-13.13.15.0
subnet 13.13.15.0 255.255.255.0
11/9/2014 ASA 8.3 / 8.4 Static NAT Migration Lab Guide - Lab 1.3 - My Tech World
http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide-lab-13/ 3/7
nat (inside,outside) static 14.14.14.0
Verification:
1. Use show run object to see what objects are part of running config. I have just included the relevant objects in the
output
ASA1# sh run object
Output Omited
object network obj-13.13.13.1
host 13.13.13.1
object network obj-192.168.100.206
host 192.168.100.206
object network obj-12.12.12.1
host 12.12.12.1
object network obj-13.13.14.1
host 13.13.14.1
object network obj-13.13.15.0
subnet 13.13.15.0 255.255.255.0
2. Use show run nat to see what NAT statements are configured.
ASA1# sh run nat
Output Omited
nat (inside,outside) source static obj-13.13.13.1 obj-192.168.100.206 destination static obj-12.12.12.1 obj-
12.12.12.1
Output Omited
object network obj-13.13.13.1
nat (inside,outside) static 192.168.100.205
object network obj-13.13.14.1
nat (inside,outside) static 192.168.100.207 service tcp www www
object network obj-13.13.15.0
nat (inside,outside) static 14.14.14.0
3. Use Show nat command to see what nat translations are in use and hits againt them
ASA1# sh nat
Output Omited
4 (inside) to (outside) source static obj-13.13.13.1 obj-192.168.100.206 destination static obj-12.12.12.1 obj-
12.12.12.1
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static obj-13.13.13.1 192.168.100.205
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static obj-13.13.14.1 192.168.100.207 service tcp www www
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static obj-13.13.15.0 14.14.14.0
translate_hits = 0, untranslate_hits = 0
Output Omited
4. To verify NAT policy 1, Ping from ISP router to 192.168.100.205, it should be tranlated to 13.13.13.1 when it hits
the Inside router.
ISP#ping 192.168.100.205
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.205, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/43/100 ms
*Mar 6 13:57:44.223: IP: tableid=0, s=192.168.100.2 (FastEthernet1/0), d=13.13.13.1 (Loopback13), routed
via RIB
*Mar 6 13:57:44.227: IP: s=192.168.100.2 (FastEthernet1/0), d=13.13.13.1, len 100, rcvd 4
*Mar 6 13:57:44.231: IP: s=192.168.100.2 (FastEthernet1/0), d=13.13.13.1, len 100, stop process pak for
forus packet
*Mar 6 13:57:44.235: IP: s=13.13.13.1 (local), d=192.168.100.2 (FastEthernet1/0), len 100, sending
*Mar 6 13:57:44.235: IP: s=13.13.13.1 (local), d=192.168.100.2 (FastEthernet1/0), len 100, sending full packet
*Mar 6 13:57:44.243: IP: s=192.168.100.2 (FastEthernet1/0), d=13.13.13.1, len 100, input feature, MCI
Check(64), rtype 0, forus FALSE, sendsel
Inside#f FALSE, mtu 0, fwdchk FALSE
11/9/2014 ASA 8.3 / 8.4 Static NAT Migration Lab Guide - Lab 1.3 - My Tech World
http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide-lab-13/ 4/7
5. To Verify NAT Policy Item 2, use extended ping from Inside Router using source IP address 13.13.13.1 and
destination as 12.12.12.1. However on ISP rotuer is should see packets coming from mapped IP 192.168.100.206
Inside#ping
Protocol [ip]:
Target IP address: 12.12.12.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 13.13.13.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.12.12.1, timeout is 2 seconds:
Packet sent with a source address of 13.13.13.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/39/112 ms
*Mar 6 14:43:50.494: IP: tableid=0, s=192.168.100.206 (FastEthernet1/0), d=12.12.12.1 (Loopback0), routed
via RIB
*Mar 6 14:43:50.498: IP: s=192.168.100.206 (FastEthernet1/0), d=12.12.12.1, len 100, rcvd 4
*Mar 6 14:43:50.498: IP: s=192.168.100.206 (FastEthernet1/0), d=12.12.12.1, len 100, stop process pak for
forus packet
*Mar 6 14:43:50.498: IP: s=12.12.12.1 (local), d=192.168.100.206 (FastEthernet1/0), len 100, sending
*Mar 6 14:43:50.498: IP: s=12.12.12.1 (local), d=192.168.100.206 (FastEthernet1/0), len 100, sending full
packet
*Mar 6 14:43:50.510: IP: s=192.168.100.206 (FastEthernet1/0), d=12.12.12.1, len 100, input feature
ISP#, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
6. To Verify NAT Policy 3. We are not doing any tests I am using routers as source and cant use Browser on these.
7. To Verify NAT Policy 4. Use extended ping from Inside router with source 13.13.15.1 to ISP router and it should be
translated to 14.14.14.1. Now change the IP of looback interface from 13.13.15.1 to 13.13.15.2 and the extended ping
again, this time it should be translated to 14.14.14.2.
Inside#ping
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 13.13.15.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 13.13.15.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/28/72 ms
On ISP Router
*Mar 6 19:18:56.119: IP: tableid=0, s=14.14.14.1 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0),
routed via RIB
*Mar 6 19:18:56.119: IP: s=14.14.14.1 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100, rcvd 3
*Mar 6 19:18:56.119: IP: s=14.14.14.1 (FastEthernet1/0), d=192.168.100.2, len 100, stop process pak for
forus packet
*Mar 6 19:18:56.119: IP: s=192.168.100.2 (local), d=14.14.14.1 (FastEthernet1/0), len 100, sending
*Mar 6 19:18:56.119: IP: s=192.168.100.2 (local), d=14.14.14.1 (FastEthernet1/0), len 100, sending full packet
Try again with 13.13.15.2
Inside#ping
11/9/2014 ASA 8.3 / 8.4 Static NAT Migration Lab Guide - Lab 1.3 - My Tech World
http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide-lab-13/ 5/7
Share this:
Like this:
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 13.13.15.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 13.13.15.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/30/60 ms
*Mar 6 19:20:21.279: IP: s=14.14.14.2 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100, rcvd 3
*Mar 6 19:20:21.279: IP: s=14.14.14.2 (FastEthernet1/0), d=192.168.100.2, len 100, stop process pak for
forus packet
*Mar 6 19:20:21.279: IP: s=192.168.100.2 (local), d=14.14.14.2 (FastEthernet1/0), len 100, sending
*Mar 6 19:20:21.279: IP: s=192.168.100.2 (local), d=14.14.14.2 (FastEthernet1/0), len 100, sending full packet
*Mar 6 19:20:21.299: IP: s=14.14.14.2 (FastEtherne
Related Posts
ASA 8.3/8.4 NAT Migration Lab Guide
Cisco ASA 8.4 on GNS3
Site to Site VPN without NAT L2L IPSec VPN
Cisco ASA Concurrent Auth Proxy Connection Limit
EIGRP Delay Settings
Loading...
1 ping
1. ASA 8.3/8.4 NAT Migration Lab Guide - My Tech World My Tech World
March 13, 2012 at 8:54 pm (UTC 1) Link to this comment
Reply
[...] LAB 1.3 Static NAT, Static Policy NAT, Staic NAT with Port Translation, Many to Many Static [...]
Leave a Reply
Enter your comment here...
Search Search
Recent Posts
Converting Prompts for UCCX 7
Duplex Mismatch How varying
Duplex/Speed settings can effect connectivity?
Dont span high volume traffic to WS-X6548-
GE-TX or WS-X6148-GE-TX
oversubscribed line cards
Outlook.com Dont change your primary
Like

11/9/2014 ASA 8.3 / 8.4 Static NAT Migration Lab Guide - Lab 1.3 - My Tech World
http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide-lab-13/ 6/7
email address and how to revert back if you
already did
Best Email App for Android ICS
Popular Posts
Cisco ASA 8.4 on GNS3 1,166,698 views
ASA 8.4 with ASDM on GNS3 Step by
Step Guide 681,356 views
Connect GNS3 Network to Real
Networks / Other GNS3 Network 162,097 views
Cisco 5508 WLC Configuration LAB
WPA2, Guest Access, FlexConnect (aka H-
REAP) 157,667 views
Outlook.com Don't change your primary
email address and how to revert back if you
already did 146,970 views
Sponsored Links
Categories
ASA
CME
EIGRP
GNS3
Licencing
Routing & Switching
Security
Stackwise
Tips
Uncategorized
Voice
VPN
Wireless
Archives
November 2012
August 2012
June 2012
May 2012
March 2012
February 2012
January 2012
December 2011
September 2011
August 2011
June 2011
March 2011
February 2011
November 2010
October 2010
July 2010
June 2010
May 2010
Recent Comments
11/9/2014 ASA 8.3 / 8.4 Static NAT Migration Lab Guide - Lab 1.3 - My Tech World
http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide-lab-13/ 7/7
Leonard Hopkins on ASA 8.3/8.4 NAT
Migration Lab Guide
Leonard Hopkins on ASA 8.3/8.4 NAT
Migration Lab Guide
Jim on ASA 8.4 with ASDM on GNS3
Step by Step Guide
peter on ASA 8.4 with ASDM on GNS3
Step by Step Guide
win on Cisco ASA 8.4 on GNS3
Blog Calendar
March 2012
M T W T F S S
Feb May
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
Meta
Log in
Entries RSS
Comments RSS
WordPress.org
Subscribe to Blog via Email
Enter your email address to subscribe to this blog
and receive notifications of new posts by email.
Email Address
Subscribe
Copyright
2014 XeruNetworks.
Return to top
Powered by WordPress and the Graphene Theme.

Das könnte Ihnen auch gefallen