ASA 8.3 / 8.4 Static NAT Migration Lab Guide - Lab 1.3 - My Tech World http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-gui...

XeruNetworks
Its all about networks…
GNS3
Security
ASA
VPN
Routing & Switching
EIGRP
Stackwise
Tips
Voice
Call Manager
CME
Licencing
Wireless

« ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.2

ASA 8.3 / 8.4 Double NAT / Source Destination NAT Migration Lab Guide – Lab 1.4 »

Mar 06

ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.3

Categories:

ASA, GNS3, Security

by malikyounas

Main Post

http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide/

This lab is part of the series of LAB which details how migrate NAT
configurations from Pre ASA 8.2 version to ASA 8.3/8.4

Lab1.3 Setup

Static NAT, Static Policy NAT, Staic NAT with Port

Translation, Many to Many Static NAT
Building on what we had before (Lab 1.2) lets add few more subnets to the Inside router. I have also modified
ASA config to add routes for these new subnets. ISP router is also modified to add route for 14.14.0.0/16
pointing to firewall (its used in NAT Policy Requirement 4)

The device configurations and GNS3 Topology can be downloaded from the the following link if you want it to
import it for yourself.

http://www.mediafire.com/download.php?bw707i723qao62y

1/7 2012.11.01. 8:41

ASA 8.3 / 8.4 Static NAT Migration Lab Guide - Lab 1.3 - My Tech World http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-gui...

NAT Policy

1. Configure ASA for Inside address 13.13.13.1 to be mapped to 192.168.100.205 such any connection requests
to 192.168.100.205 are answered by 13.13.13.1
2. Configure ASA for Inside address 13.13.13.1 to be tranlated to 192.168.100.206 when it tries to access
12.12.12.1
3. Configure ASA for Inside address 13.13.14.1 Port 80 to be mapped as 192.168.100.207 Port 80. When
someone from outside tries to access 192.168.100.207 port 80 it will be answered by 13.13.14.1 Port 80.
4. Configure a Pool IP Address to be mapped to a Pool of IP addresses of exactly same size. This will make
sure that there source pool host IP will be mapped to same host address. Say for example 13.13.15.1 will be
matched with 14.14.14.1 and 13.13.15.2 will be matched with 14.14.14.2 and so on.

Pre ASA 8.3 Configuration

1.
static (inside,outside) 192.168.100.205 13.13.13.1 netmask 255.255.255.255

2.
access-list policy-nat permit ip host 13.13.13.1 host 12.12.12.1
static (inside,outside) 192.168.100.206 access-list policy-nat

3.
static (inside,outside) tcp 192.168.100.207 80 13.13.14.1 80 netmask 255.255.255.255

4.
static (inside,outside) 14.14.14.0 13.13.15.0 netmask 255.255.255.0

ASA 8.3/8.4 Configuration

1. Simple enough for static mapping, we create an object for the Source IP and add nat statement in the same.

object network obj-13.13.13.1

host 13.13.13.1
nat (inside,outside) static 192.168.100.205

2. Same to play with objects, one for each source, destination and mapped addresses. Object for 13.13.13.1 is
already defined, so lets reuse it.

object network obj-192.168.100.206

host 192.168.100.206

object network obj-12.12.12.1

host 12.12.12.1

nat (inside,outside) source static obj-13.13.13.1 obj-192.168.100.206 destination static obj-12.12.12.1

obj-12.12.12.1

3. Again same to start with Object for 13.13.14.1 and add nat statement to it

object network obj-13.13.14.1

host 13.13.14.1
nat (inside,outside) static 192.168.100.207 service tcp www www

4. Here we will define object again and then a mappig

object network obj-13.13.15.0

subnet 13.13.15.0 255.255.255.0

nat (inside,outside) static 14.14.14.0

Verification:

1. Use ‘show run object’ to see what objects are part of running config. I have just included the relevant objects
in the output

ASA1# sh run object

—–Output Omited————
object network obj-13.13.13.1

2/7 2012.11.01. 8:41

ASA 8.3 / 8.4 Static NAT Migration Lab Guide - Lab 1.3 - My Tech World http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-gui...

host 13.13.13.1
object network obj-192.168.100.206
host 192.168.100.206
object network obj-12.12.12.1
host 12.12.12.1
object network obj-13.13.14.1
host 13.13.14.1
object network obj-13.13.15.0
subnet 13.13.15.0 255.255.255.0

2. Use ‘show run nat’ to see what NAT statements are configured.

ASA1# sh run nat

——Output Omited———–
nat (inside,outside) source static obj-13.13.13.1 obj-192.168.100.206 destination static obj-12.12.12.1
obj-12.12.12.1
——Output Omited———–
object network obj-13.13.13.1
nat (inside,outside) static 192.168.100.205
object network obj-13.13.14.1
nat (inside,outside) static 192.168.100.207 service tcp www www
object network obj-13.13.15.0
nat (inside,outside) static 14.14.14.0

3. Use ‘Show nat’ command to see what nat translations are in use and hits againt them

ASA1# sh nat
——Output Omited———–
4 (inside) to (outside) source static obj-13.13.13.1 obj-192.168.100.206 destination static obj-12.12.12.1
obj-12.12.12.1
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static obj-13.13.13.1 192.168.100.205
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static obj-13.13.14.1 192.168.100.207 service tcp www www
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static obj-13.13.15.0 14.14.14.0
translate_hits = 0, untranslate_hits = 0
——Output Omited———–

4. To verify NAT policy 1, Ping from ISP router to 192.168.100.205, it should be tranlated to 13.13.13.1 when it
hits the Inside router.

ISP#ping 192.168.100.205

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.100.205, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/43/100 ms

*Mar 6 13:57:44.223: IP: tableid=0, s=192.168.100.2 (FastEthernet1/0), d=13.13.13.1 (Loopback13),

routed via RIB
*Mar 6 13:57:44.227: IP: s=192.168.100.2 (FastEthernet1/0), d=13.13.13.1, len 100, rcvd 4
*Mar 6 13:57:44.231: IP: s=192.168.100.2 (FastEthernet1/0), d=13.13.13.1, len 100, stop process pak for
forus packet
*Mar 6 13:57:44.235: IP: s=13.13.13.1 (local), d=192.168.100.2 (FastEthernet1/0), len 100, sending
*Mar 6 13:57:44.235: IP: s=13.13.13.1 (local), d=192.168.100.2 (FastEthernet1/0), len 100, sending full
packet
*Mar 6 13:57:44.243: IP: s=192.168.100.2 (FastEthernet1/0), d=13.13.13.1, len 100, input feature, MCI
Check(64), rtype 0, forus FALSE, sendsel
Inside#f FALSE, mtu 0, fwdchk FALSE

5. To Verify NAT Policy Item 2, use extended ping from Inside Router using source IP address 13.13.13.1 and
destination as 12.12.12.1. However on ISP rotuer is should see packets coming from mapped IP
192.168.100.206

Inside#ping
Protocol [ip]:
Target IP address: 12.12.12.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 13.13.13.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.12.12.1, timeout is 2 seconds:
Packet sent with a source address of 13.13.13.1

3/7 2012.11.01. 8:41

ASA 8.3 / 8.4 Static NAT Migration Lab Guide - Lab 1.3 - My Tech World http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-gui...

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/39/112 ms

*Mar 6 14:43:50.494: IP: tableid=0, s=192.168.100.206 (FastEthernet1/0), d=12.12.12.1 (Loopback0),

routed via RIB
*Mar 6 14:43:50.498: IP: s=192.168.100.206 (FastEthernet1/0), d=12.12.12.1, len 100, rcvd 4
*Mar 6 14:43:50.498: IP: s=192.168.100.206 (FastEthernet1/0), d=12.12.12.1, len 100, stop process pak for
forus packet
*Mar 6 14:43:50.498: IP: s=12.12.12.1 (local), d=192.168.100.206 (FastEthernet1/0), len 100, sending
*Mar 6 14:43:50.498: IP: s=12.12.12.1 (local), d=192.168.100.206 (FastEthernet1/0), len 100, sending full
packet
*Mar 6 14:43:50.510: IP: s=192.168.100.206 (FastEthernet1/0), d=12.12.12.1, len 100, input feature
ISP#, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

6. To Verify NAT Policy 3. We are not doing any tests I am using routers as source and cant use Browser on
these.

7. To Verify NAT Policy 4. Use extended ping from Inside router with source 13.13.15.1 to ISP router and it
should be translated to 14.14.14.1. Now change the IP of looback interface from 13.13.15.1 to 13.13.15.2 and
the extended ping again, this time it should be translated to 14.14.14.2.

Inside#ping
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 13.13.15.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 13.13.15.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/28/72 ms

On ISP Router

*Mar 6 19:18:56.119: IP: tableid=0, s=14.14.14.1 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0),

routed via RIB
*Mar 6 19:18:56.119: IP: s=14.14.14.1 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100, rcvd
3
*Mar 6 19:18:56.119: IP: s=14.14.14.1 (FastEthernet1/0), d=192.168.100.2, len 100, stop process pak for
forus packet
*Mar 6 19:18:56.119: IP: s=192.168.100.2 (local), d=14.14.14.1 (FastEthernet1/0), len 100, sending
*Mar 6 19:18:56.119: IP: s=192.168.100.2 (local), d=14.14.14.1 (FastEthernet1/0), len 100, sending full
packet

Try again with 13.13.15.2

Inside#ping
Protocol [ip]:
Target IP address: 192.168.100.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 13.13.15.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 13.13.15.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/30/60 ms

*Mar 6 19:20:21.279: IP: s=14.14.14.2 (FastEthernet1/0), d=192.168.100.2 (FastEthernet1/0), len 100, rcvd
3
*Mar 6 19:20:21.279: IP: s=14.14.14.2 (FastEthernet1/0), d=192.168.100.2, len 100, stop process pak for
forus packet
*Mar 6 19:20:21.279: IP: s=192.168.100.2 (local), d=14.14.14.2 (FastEthernet1/0), len 100, sending
*Mar 6 19:20:21.279: IP: s=192.168.100.2 (local), d=14.14.14.2 (FastEthernet1/0), len 100, sending full
packet
*Mar 6 19:20:21.299: IP: s=14.14.14.2 (FastEtherne

4/7 2012.11.01. 8:41

ASA 8.3 / 8.4 Static NAT Migration Lab Guide - Lab 1.3 - My Tech World http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-gui...

Related Posts
ASA 8.3/8.4 NAT Migration Lab Guide
Cisco ASA 8.4 on GNS3
Site to Site VPN without NAT – L2L IPSec VPN
Cisco ASA Concurrent Auth Proxy Connection Limit
EIGRP Delay Settings

Share this: 0

1 ping

1. ASA 8.3/8.4 NAT Migration Lab Guide - My Tech World » My Tech World

March 13, 2012 at 8:54 pm (UTC 1) Link to this comment

Reply

[...] LAB 1.3 – Static NAT, Static Policy NAT, Staic NAT with Port Translation, Many to Many Static …
[...]

Leave a Reply
Your email address will not be published. Required fields are marked *

Connect with Facebook

Name: *

Email: *

Website:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym
title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite="">
<strike> <strong>

Notify me of follow-up comments by email.

Notify me of new posts by email.

Recent Posts

Don’t span high volume traffic to

WS-X6548-GE-TX or WS-X6148-GE-TX
oversubscribed line cards
Outlook.com – Don’t change your primary
email address and how to revert back if
you already did
Best Email App for Android ICS
ASA 8.4 Upgrade Path – 8.2 to ASA 8.4
with Zero Downtime
RSPAN Configuration for Cisco 6500
Switches

Popular Posts

Cisco ASA 8.4 on GNS3 58,603 view(s)

ASA 8.4 with ASDM on GNS3 – Step
by Step Guide 33,888 view(s)
Outlook.com – Don’t change your

5/7 2012.11.01. 8:41

ASA 8.3 / 8.4 Static NAT Migration Lab Guide - Lab 1.3 - My Tech World http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-gui...

primary email address and how to revert

back if you already did 10,345 view(s)
Cisco 5508 WLC Configuration LAB –
WPA2, Guest Access, FlexConnect (aka
H-REAP) 8,374 view(s)
ASA 8.3/8.4 NAT Migration Lab Guide
8,258 view(s)

Sponsored Links

Categories

ASA
CME
EIGRP
GNS3
Licencing
Routing & Switching
Security
Stackwise
Tips
Uncategorized
Voice
VPN
Wireless

Archives
August 2012
June 2012
May 2012
March 2012
February 2012
January 2012
December 2011
September 2011
August 2011
June 2011
March 2011
February 2011
November 2010
October 2010
July 2010
June 2010
May 2010

Recent Comments
sonsofsound77 on Cisco ASA 8.4 on
GNS3
Mohamed Mire Shire on Outlook.com –
Don’t change your primary email address
and how to revert back if you already did
Sinchai DeLong on Cisco ASA 8.4 on
GNS3
Martin on Cisco ASA 8.4 on GNS3
Jorge on Best Email App for Android ICS

Blog Calendar
March 2012
M T W T F S S
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
« Feb May »

6/7 2012.11.01. 8:41

ASA 8.3 / 8.4 Static NAT Migration Lab Guide - Lab 1.3 - My Tech World http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-gui...

Meta
Log in
Entries RSS
Comments RSS
WordPress.org

Subscribe to Blog via Email

Enter your email address to subscribe to this

blog and receive notifications of new posts by
email.

Copyright
© 2012 XeruNetworks.

Return to top

Powered by WordPress and the Graphene Theme.

7/7 2012.11.01. 8:41