ASA 8.3 / 8.4 Double NAT / Source Destination NAT Migration Lab Guide

haihung

Junior Member

Newbie

Join Date: Jun 2008

Posts: 13
- Share
- Tweet
#1

ASA 8.3 / 8.4 Double NAT / Source Destination NAT Migration Lab Guide – Lab 1.4

11-10-2013, 10:09 PM

Main Post

Attention Required! | Cloudflare

http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide/

This lab is part of the series of LAB which details how migrate NAT configurations from Pre ASA 8.2 version to ASA 8.3/8.4

Lab1.3 Setup
Double NAT/Source Destination NAT
We will start with a fresh LAB, not building on what we had before because the old config/topology was getting too much complex now.
The device configurations and GNS3 Topology can be downloaded from the the following link if you want it to import it for yourself.

Just a moment...

http://www.mediafire.com/download.php?u39jm62tlg1ha1z

NAT Policy
Outgoing

Source Sourced Mapped Destination Destination Mapped

10.10.10.1 192.168.100.200 192.168.0.200 12.12.12.1

Incoming

Source Sourced Mapped Destination Destination Mapped

12.12.12.1 192.168.0.200 192.168.100.200 10.10.10.1

1. Configure ASA for Inside address 10.10.10.1 such that when it tries to access 192.168.0.200, the NAT comes into action and translates sources (10.10.10.1) address to 192.168.100.200 and destination address(192.168.0.200) to 12.12.12.1. The same way when outside address 12.12.12.1 tries to access 192.168.100.200, the NAT is here again and translates source address(12.12.12.1) to 192.168.0.200 and destination address(192.168.1000.200) to 10.10.10.1
Pre ASA 8.3 Configuration
1.
access-list out-nat permit ip host 10.10.10.1 host 192.168.0.200
access-list in-nat permit ip host 12.12.12.1 host 192.168.100.200
static (inside,outside) 192.168.100.200 access-list out-nat
static (outside,inside) 192.168.0.200 access-list in-nat
ASA 8.3/8.4 Configuration
1. Again start object configuration for each IP address and then use the nat statement which will do all translations (in/out) in one statement.
object network obj-outreal-12.12.12.1
host 12.12.12.1
object network obj-outmapped-192.168.100.200
host 192.168.100.200
object network obj-inreal-10.10.10.1
host 10.10.10.1
object network obj-inmapped-192.168.0.200
host 192.168.0.200
nat (inside,outside) source static obj-inreal-10.10.10.1 obj-outmapped-192.168.100.200 destination static obj-inmapped-192.168.0.200 obj-outreal-12.12.12.1
Verification
1. Use ‘show run object’ to check the objects that we configured
ASA1# sh run object
object network obj-outreal-12.12.12.1
host 12.12.12.1
object network obj-outmapped-192.168.100.200
host 192.168.100.200
object network obj-inreal-10.10.10.1
host 10.10.10.1
object network obj-inmapped-192.168.0.200
host 192.168.0.200

2. Use ‘show run nat’ to verify the NAT configuration
ASA1# sh run nat
nat (inside,outside) source static obj-inreal-10.10.10.1 obj-outmapped-192.168.100.200 destination static obj-inmapped-192.168.0.200 obj-outreal-12.12.12.1
3. Use ‘show nat’ to check the hits against rule
ASA1# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static obj-inreal-10.10.10.1 obj-outmapped-192.168.100.200 destination static obj-inmapped-192.168.0.200 obj-outreal-12.12.12.1
translate_hits = 0, untranslate_hits = 0
4. Lets use extended ping from 10.10.10.1 to 192.168.0.200, we will enable ‘debug ip packet’ both on Inside and ISP router to see source and destination IP addresses.
Inside#ping
Protocol [ip]:
Target IP address: 192.168.0.200
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.200, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/48/92 ms
Inside#
Inside#
Inside#
*Mar 12 15:19:15.986: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:19:15.986: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending full packet
*Mar 12 15:19:16.078: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 15:19:16.078: IP: tableid=0, s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1 (Loopback0), routed via RIB
*Mar 12 15:19:16.078: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, rcvd 4
*Mar 12 15:19:16.078: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, stop process pak for forus packet
*Mar 12 15:19:16.078: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:19:16.078: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending full packet
*Mar 12 15:19:16.098: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10

Let see what ISP router thinks
*Mar 12 15:19:16.138: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 15:19:16.142: IP: tableid=0, s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1 (Loopback0), routed via RIB
*Mar 12 15:19:16.146: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, rcvd 4
*Mar 12 15:19:16.150: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, stop process pak for forus packet
*Mar 12 15:19:16.154: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:19:16.158: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending full packet
*Mar 12 15:19:16.178: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, input feature
ISP#, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
As you can see above inside router thinks its pining 192.168.0.200 and reply is coming from the same IP. The same way ISP router thinks ping request is coming from 192.168.1000.200 and is replying to same.
5. Now, try the same from ISP router
ISP#ping
Protocol [ip]:
Target IP address: 192.168.100.200
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 12.12.12.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.200, timeout is 2 seconds:
Packet sent with a source address of 12.12.12.1
!!!!
*Mar 12 15:25:52.686: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:25:52.690: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending full packet
*Mar 12 15:25:52.786: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 15:25:52.786: IP: tableid=0, s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1 (Loopback0), routed via RIB
*Mar 12 15:25:52.786: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, rcvd 4
*Mar 12 15:25:52.786: IP: s=192.168.100.200 (FastEthernet1/0), d=12.12.12.1, len 100, stop process pak for forus packet
*Mar 12 15:25:52.786: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:25:52.786: IP: s=12.12.12.1 (local), d=192.168.100.200 (FastEthernet1/0), len 100, sending full packet
*Mar 12 15:25:52.822: IP: s=192.168.100.200 (FastEther!
Let see what Inside router thinks of it
*Mar 12 15:25:52.870: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 15:25:52.874: IP: tableid=0, s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1 (Loopback0), routed via RIB
*Mar 12 15:25:52.878: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, rcvd 4
*Mar 12 15:25:52.882: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, stop process pak for forus packet
*Mar 12 15:25:52.882: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending
*Mar 12 15:25:52.882: IP: s=10.10.10.1 (local), d=192.168.0.200 (FastEthernet1/0), len 100, sending full packet
*Mar 12 15:25:52.894: IP: s=192.168.0.200 (FastEthernet1/0), d=10.10.10.1, len 100, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FA
Inside#LSE, mtu 0, fwdchk FALSE
As you can see from the output above that Inside router is getting ping request from 192.168.0.200 and its replying to same
6. We have hits against NAT rule confirming the same
ASA1# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static obj-inreal-10.10.10.1 obj-outmapped-192.168.100.200 destination static obj-inmapped-192.168.0.200 obj-outreal-12.12.12.1
translate_hits = 2, untranslate_hits = 2
Tags: None

Previous template Next

Source	Sourced Mapped	Destination	Destination Mapped
10.10.10.1	192.168.100.200	192.168.0.200	12.12.12.1

Source	Sourced Mapped	Destination	Destination Mapped
12.12.12.1	192.168.0.200	192.168.100.200	10.10.10.1

Announcement

ASA 8.3 / 8.4 Double NAT / Source Destination NAT Migration Lab Guide – Lab 1.4

ASA 8.3 / 8.4 Double NAT / Source Destination NAT Migration Lab Guide – Lab 1.4