It is currently Mon Nov 18, 2019 10:47 pm


All times are UTC




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: Dynamic PAT and static NAT on ASA 8.4(2)
PostPosted: Wed Mar 07, 2012 4:19 pm 
Offline

Joined: Tue Mar 06, 2012 8:48 am
Posts: 12
GNS3 = 0.8.2-BETA2
Routers = C7200-JK.BIN
ASA1 = asa842-initrd.gz / asa842-vmlinuz
SW1 & SW2 = GNS3 ethernet switch
C1 & C2 & SRV_in_DMZ = VPCS
C1 and C2 are configured in DHCP (configured on R7200_1 router)
SRV_in_DMZ in fixed ip
ASA1 distributes default route into ospf


Attachment:
topology.png
topology.png [ 67.33 KiB | Viewed 11852 times ]


Scenario:
Network 192.168.10.0/24 (Vlan10) is natted with IP 80.0.0.10 for go out on internet
Network 192.168.20.0/24 (Vlan20) is natted with IP 80.0.0.20 for go out on internet
Host 192.168.40.1 (SRV_in_DMZ) is reacheable from internet with IP 80.0.0.2, only from Partner's loopback


let's check ip route


Code:
R7200_1#sh ip route

Gateway of last resort is 192.168.30.126 to network 0.0.0.0

     192.168.30.0/25 is subnetted, 1 subnets
C       192.168.30.0 is directly connected, FastEthernet0/1
C    192.168.10.0/24 is directly connected, FastEthernet0/0.10
     192.168.40.0/25 is subnetted, 1 subnets
O       192.168.40.0 [110/11] via 192.168.30.126, 00:13:24, FastEthernet0/1
C    192.168.20.0/24 is directly connected, FastEthernet0/0.20
O*E1 0.0.0.0/0 [110/2] via 192.168.30.126, 00:13:24, FastEthernet0/1


Code:
ciscoasa# sh route

Gateway of last resort is 80.0.0.254 to network 0.0.0.0

C    192.168.30.0 255.255.255.128 is directly connected, inside
C    80.0.0.0 255.255.255.0 is directly connected, outside
O    192.168.10.0 255.255.255.0 [110/11] via 192.168.30.1, 0:14:02, inside
C    192.168.40.0 255.255.255.128 is directly connected, dmz
O    192.168.20.0 255.255.255.0 [110/11] via 192.168.30.1, 0:14:02, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 80.0.0.254, outside


Code:
PARTNER#sh ip route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     80.0.0.0/24 is subnetted, 1 subnets
C       80.0.0.0 is directly connected, FastEthernet0/0
     93.0.0.0/32 is subnetted, 1 subnets
C       93.93.93.3 is directly connected, Loopback2
     92.0.0.0/32 is subnetted, 1 subnets
C       92.92.92.2 is directly connected, Loopback1
     91.0.0.0/32 is subnetted, 1 subnets
C       91.91.91.1 is directly connected, Loopback0
S*   0.0.0.0/0 is directly connected, Null0


Routing seems to be good. see configuration files for "router ospf"



Let's check running-config (complete configuration is attached)

Code:
ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
!
object network internal_lan10
subnet 192.168.10.0 255.255.255.0
object network internal_lan20
subnet 192.168.20.0 255.255.255.0
object network SRV_in_DMZ
host 192.168.40.1
object-group network Partner_loopback
network-object host 91.91.91.1
network-object host 92.92.92.2
network-object host 93.93.93.3
access-list outside extended permit icmp object-group Partner_loopback host 192.168.40.1
access-list outside extended deny ip any any log
!
object network internal_lan10
nat (inside,outside) dynamic 80.0.0.10
object network internal_lan20
nat (inside,outside) dynamic 80.0.0.20
object network SRV_in_DMZ
nat (dmz,outside) static 80.0.0.2
access-group outside in interface outside
!



Let's check connectivity from PC1 to 91.91.91.1

FROM PC1 (VLAN10)

Code:
VPCS[1]> ping 91.91.91.1
91.91.91.1 icmp_seq=1 timeout
91.91.91.1 icmp_seq=2 ttl=254 time=84.000 ms
91.91.91.1 icmp_seq=3 ttl=254 time=83.000 ms
91.91.91.1 icmp_seq=4 ttl=254 time=51.000 ms
91.91.91.1 icmp_seq=5 ttl=254 time=126.000 ms


result on partner's router:

Code:
PARTNER#debug ip icmp
ICMP packet debugging is on
PARTNER#
*Mar  7 16:35:54.551: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.10
PARTNER#
*Mar  7 16:35:56.523: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.10
PARTNER#
*Mar  7 16:35:57.631: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.10
PARTNER#
*Mar  7 16:35:58.723: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.10
PARTNER#
*Mar  7 16:35:59.803: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.10


FROM PC2 to 91.91.91.1

Code:
VPCS[2]> ping 91.91.91.1
91.91.91.1 icmp_seq=1 timeout
91.91.91.1 icmp_seq=2 ttl=254 time=118.000 ms
91.91.91.1 icmp_seq=3 ttl=254 time=88.000 ms
91.91.91.1 icmp_seq=4 ttl=254 time=101.000 ms
91.91.91.1 icmp_seq=5 ttl=254 time=86.000 ms



Code:
PARTNER#
*Mar  7 16:36:35.423: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.20
PARTNER#
*Mar  7 16:36:37.431: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.20
PARTNER#
*Mar  7 16:36:38.531: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.20
PARTNER#
*Mar  7 16:36:39.639: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.20
PARTNER#
*Mar  7 16:36:40.739: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.20
PARTNER#



From PARTNER


Code:
PARTNER#ping 80.0.0.2 source 80.0.0.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 80.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 80.0.0.254
.....
Success rate is 0 percent (0/5)


Seems to be correct because it's not allowed

In logging buffer on ASA:

Code:
ciscoasa# sh logg | inc %ASA-6-106100
%ASA-6-106100: access-list outside denied icmp outside/80.0.0.254(8) -> dmz/192.168.40.1(0) hit-cnt 1 first hit [0xfd0ffa4a, 0x0]



If I use source loopback0 for send my icmp echo

Code:
PARTNER#ping 80.0.0.2 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 80.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 91.91.91.1
!!!!!


The debug on ASA shows me :

Code:
ciscoasa# debug icmp trace
debug icmp trace enabled at level 1
ciscoasa# ICMP echo request from outside:91.91.91.1 to dmz:80.0.0.2 ID=2 seq=0 len=72
ICMP echo request untranslating outside:80.0.0.2 to dmz:192.168.40.1
ICMP echo reply from dmz:192.168.40.1 to outside:91.91.91.1 ID=2 seq=0 len=72
ICMP echo reply translating dmz:192.168.40.1 to outside:80.0.0.2


Code:
ciscoasa# sh access-list
access-list cached ACL log flows: total 1, denied 1 (deny-flow-max 4096)
            alert-interval 300
access-list outside; 4 elements; name hash: 0x1a47dec4
access-list outside line 1 extended permit icmp object-group Partner_loopback host 192.168.40.1 0x5220c040
  access-list outside line 1 extended permit icmp host 91.91.91.1 host 192.168.40.1 [color=#FF0040](hitcnt=4)[/color] 0x396e49c7
  access-list outside line 1 extended permit icmp host 92.92.92.2 host 192.168.40.1 (hitcnt=0) 0x45380c15
  access-list outside line 1 extended permit icmp host 93.93.93.3 host 192.168.40.1 (hitcnt=0) 0xa818ed6a
access-list outside line 2 extended deny ip any any log informational interval 300 (hitcnt=4) 0xfd0ffa4a



See you soon

Mario




Attachments:
R7200_1.txt [1.46 KiB]
Downloaded 2166 times
partner.txt [1.1 KiB]
Downloaded 1091 times
ciscoasa.txt [3.4 KiB]
Downloaded 890 times

_________________
Mario
Network Admin

CCNA certified.
Cisco SNAF courses studied (Securing Networks With ASA Foundation)
Cisco CCNP route courses in April 2012.
Top
 Profile  
 
 Post subject: Re: Dynamic PAT and static NAT on ASA 8.4(2)
PostPosted: Wed May 09, 2012 1:33 am 
Offline

Joined: Wed Apr 27, 2011 8:40 pm
Posts: 50
nice work, thanks for sharing


Top
 Profile  
 
 Post subject: Re: Dynamic PAT and static NAT on ASA 8.4(2)
PostPosted: Wed Oct 10, 2012 4:40 am 
Offline

Joined: Thu Oct 04, 2012 6:12 pm
Posts: 1
Thank you very much for sharing! Figure out how to replicate your topology w/ the ASA connecting to the c7200.

Cheer.




Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group

phpBB SEO