Troubleshoot Topology:

ASA NAT:

8.2:

1. In ASA 8.2 we should give NAT control command to operate the NAT.
2. If we dint give enable not control it does not perform NAT.
3. Here we do dynamic translation of NAT as show below: It has NAT ID 1 between inside & outside
global address. This ID should match in both the Statements.

4. If a user goes to internet it checks NAT statement & then it checks Route. Here in this topology
we have an Static Route Configured for Outside Route.
5. PAT: If we want do PAT: Many to one then we use command as many to one:

Nat(inside) 1 10.0.0.0 255.255.255.0

6. Here If we want to get access from inside to DMZ then we should use PAT interface or ip
address as shown below:

Or global (dmz) 1 172.16.0.50

7. We should not perform NAT between SITE to SITE Tunnel as shown below:
8. In this case we use NAT 0 Command as:

9. STATIC NAT: if the dmz server wants to communicate to internet then:

Static (real name, mapped name) mapped IP, Real IP

10. IDENTITY NAT: It Does not any of the addrwssing, because there is not nat required for inside to
inside.
8.2 NAT:
1. In 8.3 we need to specify ACL inbound for outside interface for Static NAT as shown Below:
2. Here we should use global mapped address for the Server.
3. What if server is mapped to 5 interfaces:

Here every time we need to make ACL to make new services allow to this machine. In 8.2 there
is no such complicated stuff.

4. In 8.3 we reference server itself for ACL to allow

 1. Dynamic NAT:

Steps:

1. First Create the interfaces as shown Below: inside outside DMZ

2. By default there is NAT rules:
3. Click on Add as shown below for Auto NAT:

4. Create a Dynamic NAT for Many to one:

5. Click on object button to give translated object:

6. Click on Add then select network object:
7. Give the IP addresses & click ok:

8. Then select it by double clicking on it:

9. Click OK.

10. Here We got CLI Configs:

11. Here we checked the output:

12. If we went to create a NAT from inside to outside & inside to DMZ then Delete the OLD NAT as
Shown Below & create New NAT rule:

13. Delete the old one:

14. Create a new rule as below:

15. Go to objects & double click on it

16. Click on object:
17. Select Outside pool click ok

18. Then click on Advanced option:

19. Select inside to any, because we are going from inside to any:

20. Click Apply & refer the CLI:

21. Verify the output:

Manual NAT:
1. From inside to outside only one to one mapping.

2. Here Click on first Rule:

3. Specify the source address : create a new object:

4. Click ok. Double click and select it.

5. Click ok, then create a object for outside interface:

6. Create an object for ouside:

7. Create a object for outside router IP

8. Double click to select:

9. Click Ok.
10. Click On Next: & select translated Packet Source Address

11. Add Network Objest for Source for Source Address:

12. Map the Global Address:

13. Double click & select it:

 14. Click Ok.

It says if traffic is coming from inside interface going to the outside interface & source address is keith’s
Ip going to destination address of R2 real address then it uses static nat swap out keith address to global
address.

15. Click ok & preview the CLI Commands:

16. Here we got Manual rules first as shown below:
17. To verify the output make a telnet connection to router, it translates to 101:

18. Here in Router we got a Translated address:

19. Press the Down arrow to perform manual NAT after Auto NAT:
20. We got output as:

21. Hre we have section 3 in output:

22. Verify the Auto nat output:

23. Now revert back the changes by clicking UP arrow Key:

24. Now we got reverted changes:

1. To merge the 2 IP addresses of different sites we use Destination NAT as shown below: Swap
out the source address & destination addresses

2. Here we are changing both source & destination IP addresses: Twice NAT
3. Add the rule as:

4. Make an Destination object as Bogus:

5. Specify the bogus & click Ok.

6. Click Ok & give a NATED ip object as:

7. Click ok & Specify the object:
8. Create a rule & click ok.

9. Preview the command:

2. Arrange the rules & verify the output:
3. Now we have 3 beautiful rules:
1. Now lets translate our server to 192.168.0.176 if any body accesfrom inside & outside the
addresses is .176

2. Configure object NAT as shown below:

3. Give the IP addresses

4. Create an translated object:

5. Specify the object & click OK:

4. Click on advanced & give DMZ to ANY:

5. Click apply & verify the Output:

6. Here we tested from inside:

R1 to R4 Cannot ping as shown below:
1. Router 1 has an IP addresses as below:

2. In ASA 1 we have NAT & Access list as Below:

3. ASA2 Show Run NAT:

4. If we Ping from R1 to R4: ping 4.4.4.4 Source L2 1.1.1.1

5. First Check the Route to 4.4.4.4

6. Here we have Configured RIP, EIGRP, OSPF as below:

7. Check OSPF is Up between R4 & ASA2

8. Check OSPF

Here look the timers, process ID everything should match.

9. Check the OSPF in Router 4

10. Here OSPF running on both Loop Back & FA0/1 Interfaces.
11. Here in router 4 md5 is configured:

12. So the problem is R4 uses md5 authentication & ASA uses clear text authentication.

13. Check the Key in Router as as command below:

14. So configure OSPF MD5 authentication for Router4 as below:

15. So ASA 2 also MD5 Authentication not enabled
 16. Enable MD5 authentication in ASA2 as below:

17. Now everything is matching: Still the neibourship is not esatablished:

Its in Exchange/DR
18. So here its in only EXTART state now we have MTU problem: Check MTU values

19. Here we give Debug Command to verify:

20. Enable Show Logging to verify the output:

21. Clear the OSPF to restart the Process:

 22. Turn off the Debug:

Here Check MTU in Router as show ip interface fa0/1

Its 1400 bytes.

23. To resolve either Configure MTU same on both sides or ignore MTU
24. Configure MTU ignore in R4 also:

25. Now we have Established OSPF

26. Check the Loopback Route in ASA 2:

27. Now Check ASA1 Receives EIGRP L0 From R2:

28. Check Eigrp Route in ASA:

29. Now Check RIP is Working in ASA1 & ASA 2:
30. In ASA1 we are doing mutual Redistribution between EIGRP & RIP .IN ASA 2 we are Doing MR
between RIP & OSPF.

31. Now Check RIP routes in ASA 1:

32. Here we have Problem of Redistribution RIP:

 33. Here RIP runs over DMZ Prefix , we have problems in redistributing OSPF into RIP. But not RIP
into OSPF.
34. Now we lets fix problem on RIP not redistribution OSPF at this point.

Here DMZ interface is running.

35. Now Go toASA1 & check:

36. Here Mutual Redistribution is done between EIGRP to RIP & RIP to EIGRP .
37. Here in ASA1 also we run RIP on DMZ interface:
38. Here Ping is not working:

39. Because Layer 2 filters Ping.

40. Now Check ARP working or not. If ARP works then there is layer filtering problem. If ARP does
not work then there is a functional work. layer 2 domain problem.
41. Clear ARP & check Show ARP for DMZ

42. Now we need to Look to the Layer 2 PATH

43. Here ARP is not Working:

44. Here ASA’S are connected to Switch port Fa 13 & 15, as per the diagram they allow traffic on
vlan 10 untagged.There is a VACL so the Traffic is dropping onit.

45. Go to Switch 1 & check interface 13

46. On switch 2 Fa 1/0/15 is trunk:
47. FA1/0/1 Should also be in VLAN 10

48. Here Port number 15 is trunking

49. Here we have two options make 1/0/15 the access port vlan 10 or make to native vlan 10
50. Here Configure Native vlan 10 for Trunk port.

51. Check the port 13

52. Look on 15 switch port:

53. Now also Output ARP & ping not working:

54. Check any VLAN Filters is applied it not applied:

55. Look Vlans in Switch: Here Vlan 10 is Shutdown:

56. We need to Unshut VLAN 10

57. Now check Show VLAN:Now its active:

58. Now we got Connectivity between ASA1 & ASA 2

59. Now check Rip Routes:

60. Now RIP is OK Between ASA1 & ASA2:

61. Now if we check Router 1 route in router 4 it not shows route:

62. Because ASA 2 Does not puts Rip Routes into OSPF:

63. In ASA 1 it puts RIP routes into EIGRP:

64. Here in router 1 also we cannot see routing table:

65. So we troubleshoot the problems. Here Both ASA receives rip routes & problem is with Route
Redistribution: Configure Redistribution in ASA1
66. Now if we see Router 1 we should see Router4 IP as External Routes:

67. Now Fix the Problem with RIP to OSPF redistribution:

66. Here the Problem is ASA 2 does not put the routes into OSPF:
68. To resolve problem we have 3 steps as below:

1. Put rip routes into OSPF redistribution

2. In ASA 2 inject the default route:
3. Make Area 49 as stub: Making stub ASA2 inject default route of type 3 or 7 LSA depending on
stub area type.
4. Here we are choosing Stub Area

5. Here in Router 4 we need to check wheater it has any external routes into OSPF.
6. Here in ASA 2 it injects external routes as router 4 IP. It treats router 4 as an ASBR
7. Now we should configure it as NSSA:

69. Configure as Stub:

70. Now it should match in Router 4 as Stub:

71. Remove the Stub & make R4 as NSSA:

72. In ASA 2 Also make it as NSSA :

73. Here NSSA does not inject Default so we nned to configure manually as below:
74. Now we got OSPF routes in r2:

75. Now every thing is ok we check connectivity between VLANS: Check with r1 show ip eigrp:
76. We don’t have routes for 49.0 So we don’t have connectivity between r1 between ASA 2 & R4
77. Now Enable RIP version 2 because auto summarization not completes in RIP v1 & it not includes
subnet MASK in RIP 1:
78. Here We still See the Wrong Mask As below:

79. We check Key as below:

80. So Here Key ID is Different:

81. Check the Key by using More:

82. Now do debug on rip:

83. Here it says receive packet with md5 authentication: & invalid authentication so key is
mismatching:
84. Configure same Key ID in ASA 1 & ASA 2:

85. Now also we dint got original route we recived summarized route:
86. Router 1 & router 2 should connect vlan
87. We check the route as below:

88. Remove auto summarization & check in both the ASA

89. Now we got route in ASA2

90. Now Routing works end to end issue solved.