Sie sind auf Seite 1von 7

11/9/2014 ASA 8.3 / 8.

4 Double NAT / Source Destination NAT - My Tech World


http://www.xerunetworks.com/2012/03/asa-8-38-4-double-natsource-destination-nat-migration-lab-guide-lab-1-4/ 1/7

Search Search
XeruNetworks
Its all about networks
GNS3
Security
ASA
VPN
Routing & Switching
EIGRP
Stackwise
Tips
Voice
Call Manager
CME
Licencing
Wireless

ASA 8.3/8.4 NAT Migration Lab Guide Lab 1.3
Telnet to Router Interface from outside
Mar 13
ASA 8.3 / 8.4 Double NAT / Source Destination NAT
Migration Lab Guide Lab 1.4
Categories:
ASA, GNS3, Security
by malikyounas
Main Post
http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide/
This lab is part of the series of LAB which details how migrate NAT configurations
from Pre ASA 8.2 version to ASA 8.3/8.4
Lab1.3 Setup
Double NAT/Source Destination NAT
We will start with a fresh LAB, not building on what we had before because the old
config/topology was getting too much complex now.
The device configurations and GNS3 Topology can be downloaded from the the following link if you want it to import it
for yourself.
http://www.mediafire.com/download.php?u39jm62tlg1ha1z
11/9/2014 ASA 8.3 / 8.4 Double NAT / Source Destination NAT - My Tech World
http://www.xerunetworks.com/2012/03/asa-8-38-4-double-natsource-destination-nat-migration-lab-guide-lab-1-4/ 2/7
NAT Policy
Outgoing
Source Sourced Mapped Destination Destination Mapped
10.10.10.1 192.168.100.200 192.168.0.200 12.12.12.1
Incoming
Source Sourced Mapped Destination Destination Mapped
12.12.12.1 192.168.0.200 192.168.100.200 10.10.10.1

1. Configure ASA for Inside address 10.10.10.1 such that when it tries to access 192.168.0.200, the NAT comes into
action and translates sources (10.10.10.1) address to 192.168.100.200 and destination address(192.168.0.200) to
12.12.12.1. The same way when outside address 12.12.12.1 tries to access 192.168.100.200, the NAT is here again
and translates source address(12.12.12.1) to 192.168.0.200 and destination address(192.168.1000.200) to
10.10.10.1
Pre ASA 8.3 Configuration
1.
access-list out-nat permit ip host 10.10.10.1 host 192.168.0.200
access-list in-nat permit ip host 12.12.12.1 host 192.168.100.200
static (inside,outside) 192.168.100.200 access-list out-nat
static (outside,inside) 192.168.0.200 access-list in-nat
ASA 8.3/8.4 Configuration
1. Again start object configuration for each IP address and then use the nat statement which will do all translations
(in/out) in one statement.
object network obj-outreal-12.12.12.1
host 12.12.12.1
object network obj-outmapped-192.168.100.200
host 192.168.100.200
object network obj-inreal-10.10.10.1
host 10.10.10.1
object network obj-inmapped-192.168.0.200
host 192.168.0.200
nat (inside,outside) source static obj-inreal-10.10.10.1 obj-outmapped-192.168.100.200 destination static obj-
inmapped-192.168.0.200 obj-outreal-12.12.12.1
Verification
1. Use show run object to check the objects that we configured
ASA1# sh run object
object network obj-outreal-12.12.12.1
host 12.12.12.1
object network obj-outmapped-192.168.100.200
host 192.168.100.200
11/9/2014 ASA 8.3 / 8.4 Double NAT / Source Destination NAT - My Tech World
http://www.xerunetworks.com/2012/03/asa-8-38-4-double-natsource-destination-nat-migration-lab-guide-lab-1-4/ 3/7
object network obj-inreal-10.10.10.1
host 10.10.10.1
object network obj-inmapped-192.168.0.200
host 192.168.0.200
2. Use show run nat to verify the NAT configuration
ASA1# sh run nat
nat (inside,outside) source static obj-inreal-10.10.10.1 obj-outmapped-192.168.100.200 destination static obj-
inmapped-192.168.0.200 obj-outreal-12.12.12.1
3. Use show nat to check the hits against rule
ASA1# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static obj-inreal-10.10.10.1 obj-outmapped-192.168.100.200 destination static
obj-inmapped-192.168.0.200 obj-outreal-12.12.12.1
translate_hits = 0, untranslate_hits = 0
4. Lets use extended ping from 10.10.10.1 to 192.168.0.200, we will enable debug ip packet both on Inside and ISP
router to see source and destination IP addresses.
Inside#ping
Protocol [ip]:
Target IP address: 192.168.0.200
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.200, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/48/92 ms
Inside#
Inside#
Inside#
*Mar 12 15:19:15.986: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:19:15.986: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending full
packet
*Mar 12 15:19:16.078: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, input feature, MCI
Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 15:19:16.078: IP: tableid=0, s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1 (Loopback0), routed
via RIB
*Mar 12 15:19:16.078: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, rcvd 4
*Mar 12 15:19:16.078: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, stop process pak for
forus packet
*Mar 12 15:19:16.078: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:19:16.078: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending full
packet
*Mar 12 15:19:16.098: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10

Let see what ISP router thinks
*Mar 12 15:19:16.138: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, input feature, MCI
Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 15:19:16.142: IP: tableid=0, s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1 (Loopback0), routed
via RIB
*Mar 12 15:19:16.146: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, rcvd 4
*Mar 12 15:19:16.150: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, stop process pak for
forus packet
*Mar 12 15:19:16.154: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:19:16.158: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending full
packet
*Mar 12 15:19:16.178: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, input feature
11/9/2014 ASA 8.3 / 8.4 Double NAT / Source Destination NAT - My Tech World
http://www.xerunetworks.com/2012/03/asa-8-38-4-double-natsource-destination-nat-migration-lab-guide-lab-1-4/ 4/7
ISP#, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
As you can see above inside router thinks its pining 192.168.0.200 and reply is coming from the same IP. The same way
ISP router thinks ping request is coming from 192.168.1000.200 and is replying to same.
5. Now, try the same from ISP router
ISP#ping
Protocol [ip]:
Target IP address: 192.168.100.200
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 12.12.12.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.200, timeout is 2 seconds:
Packet sent with a source address of 12.12.12.1
!!!!
*Mar 12 15:25:52.686: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:25:52.690: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending full
packet
*Mar 12 15:25:52.786: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, input feature, MCI
Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 15:25:52.786: IP: tableid=0, s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1 (Loopback0), routed
via RIB
*Mar 12 15:25:52.786: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, rcvd 4
*Mar 12 15:25:52.786: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, stop process pak for
forus packet
*Mar 12 15:25:52.786: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:25:52.786: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending full
packet
*Mar 12 15:25:52.822: IP: s=192.168.100.200 (FastEther!
Let see what Inside router thinks of it
*Mar 12 15:25:52.870: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, input feature, MCI
Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 15:25:52.874: IP: tableid=0, s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1 (Loopback0), routed
via RIB
*Mar 12 15:25:52.878: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, rcvd 4
*Mar 12 15:25:52.882: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, stop process pak for
forus packet
*Mar 12 15:25:52.882: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:25:52.882: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending full
packet
*Mar 12 15:25:52.894: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, input feature, MCI
Check(64), rtype 0, forus FALSE, sendself FA
Inside#LSE, mtu 0, fwdchk FALSE
As you can see from the output above that Inside router is getting ping request from 192.168.0.200 and its replying to
same
6. We have hits against NAT rule confirming the same
ASA1# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static obj-inreal-10.10.10.1 obj-outmapped-192.168.100.200 destination static
obj-inmapped-192.168.0.200 obj-outreal-12.12.12.1
translate_hits = 2, untranslate_hits = 2
Related Posts
ASA 8.3/8.4 NAT Migration Lab Guide
Curso Cisco CCNA Voice
capacityacademy.com/CCNA-VOICE
Certifcate en VoiP, Hazte Experto. Paga en Moneda Local Infrmate Ya!
11/9/2014 ASA 8.3 / 8.4 Double NAT / Source Destination NAT - My Tech World
http://www.xerunetworks.com/2012/03/asa-8-38-4-double-natsource-destination-nat-migration-lab-guide-lab-1-4/ 5/7
Share this:
Like this:
Cisco ASA 8.4 on GNS3
Site to Site VPN without NAT L2L IPSec VPN
Cisco ASA Concurrent Auth Proxy Connection Limit
EIGRP Delay Settings
Loading...
2 comments
1 ping
1.
uniqdot
November 20, 2013 at 7:53 pm (UTC 1)
Reply
Hi. Can I use that technic to solve this or do I need something else?
HQ is connected to Partner and Co-location through site to site VPN (with two diffrent tunnels). Co-location is
connected to the HQ through site-2-site VPN.
HQ:
Co-location:
Partner:
Basically what I want to achieve is to do the following:
All traffic from co-location with destination to Partner should go through HQ and the source IP needs to be
changed. So it looks like that the traffic is originates from the HQ dmz zone on the Partner side.
How can I achieve that?
2.
rick
January 8, 2013 at 8:01 am (UTC 1)
Reply
I found this the other day, it also has some good information for wanting to learn twice nat
http://www.fir3net.com/Cisco-ASA/cisco-asa-twice-nat.html
1. ASA 8.3/8.4 NAT Migration Lab Guide - My Tech World My Tech World
March 13, 2012 at 8:32 pm (UTC 1) Link to this comment
Reply
[...] LAB 1.4 - Double NAT/Source Destination NAT [...]
Leave a Reply
Enter your comment here...
Search Search
Recent Posts
Converting Prompts for UCCX 7
Duplex Mismatch How varying
Duplex/Speed settings can effect connectivity?
Like

11/9/2014 ASA 8.3 / 8.4 Double NAT / Source Destination NAT - My Tech World
http://www.xerunetworks.com/2012/03/asa-8-38-4-double-natsource-destination-nat-migration-lab-guide-lab-1-4/ 6/7
Dont span high volume traffic to WS-X6548-
GE-TX or WS-X6148-GE-TX
oversubscribed line cards
Outlook.com Dont change your primary
email address and how to revert back if you
already did
Best Email App for Android ICS
Popular Posts
Cisco ASA 8.4 on GNS3 1,166,698 views
ASA 8.4 with ASDM on GNS3 Step by
Step Guide 681,356 views
Connect GNS3 Network to Real
Networks / Other GNS3 Network 162,097 views
Cisco 5508 WLC Configuration LAB
WPA2, Guest Access, FlexConnect (aka H-
REAP) 157,667 views
Outlook.com Don't change your primary
email address and how to revert back if you
already did 146,970 views
Sponsored Links
Categories
ASA
CME
EIGRP
GNS3
Licencing
Routing & Switching
Security
Stackwise
Tips
Uncategorized
Voice
VPN
Wireless
Archives
November 2012
August 2012
June 2012
May 2012
March 2012
February 2012
January 2012
December 2011
September 2011
August 2011
June 2011
March 2011
February 2011
November 2010
October 2010
July 2010
11/9/2014 ASA 8.3 / 8.4 Double NAT / Source Destination NAT - My Tech World
http://www.xerunetworks.com/2012/03/asa-8-38-4-double-natsource-destination-nat-migration-lab-guide-lab-1-4/ 7/7
June 2010
May 2010
Recent Comments
Leonard Hopkins on ASA 8.3/8.4 NAT
Migration Lab Guide
Leonard Hopkins on ASA 8.3/8.4 NAT
Migration Lab Guide
Jim on ASA 8.4 with ASDM on GNS3
Step by Step Guide
peter on ASA 8.4 with ASDM on GNS3
Step by Step Guide
win on Cisco ASA 8.4 on GNS3
Blog Calendar
March 2012
M T W T F S S
Feb May
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
Meta
Log in
Entries RSS
Comments RSS
WordPress.org
Subscribe to Blog via Email
Enter your email address to subscribe to this blog
and receive notifications of new posts by email.
Email Address
Subscribe
Copyright
2014 XeruNetworks.
Return to top
Powered by WordPress and the Graphene Theme.