GNS3
http://forum.gns3.net/

Dynamic PAT and static NAT on ASA 8.4(2)
http://forum.gns3.net/topic4668.html
Page 1 of 1

Author:  mario62223 [ Wed Mar 07, 2012 4:19 pm ]
Post subject:  Dynamic PAT and static NAT on ASA 8.4(2)

GNS3 = 0.8.2-BETA2
Routers = C7200-JK.BIN
ASA1 = asa842-initrd.gz / asa842-vmlinuz
SW1 & SW2 = GNS3 ethernet switch
C1 & C2 & SRV_in_DMZ = VPCS
C1 and C2 are configured in DHCP (configured on R7200_1 router)
SRV_in_DMZ in fixed ip
ASA1 distributes default route into ospf


Attachment:
topology.png
topology.png [ 67.33 KiB | Viewed 11851 times ]


Scenario:
Network 192.168.10.0/24 (Vlan10) is natted with IP 80.0.0.10 for go out on internet
Network 192.168.20.0/24 (Vlan20) is natted with IP 80.0.0.20 for go out on internet
Host 192.168.40.1 (SRV_in_DMZ) is reacheable from internet with IP 80.0.0.2, only from Partner's loopback


let's check ip route


Code:
R7200_1#sh ip route

Gateway of last resort is 192.168.30.126 to network 0.0.0.0

     192.168.30.0/25 is subnetted, 1 subnets
C       192.168.30.0 is directly connected, FastEthernet0/1
C    192.168.10.0/24 is directly connected, FastEthernet0/0.10
     192.168.40.0/25 is subnetted, 1 subnets
O       192.168.40.0 [110/11] via 192.168.30.126, 00:13:24, FastEthernet0/1
C    192.168.20.0/24 is directly connected, FastEthernet0/0.20
O*E1 0.0.0.0/0 [110/2] via 192.168.30.126, 00:13:24, FastEthernet0/1


Code:
ciscoasa# sh route

Gateway of last resort is 80.0.0.254 to network 0.0.0.0

C    192.168.30.0 255.255.255.128 is directly connected, inside
C    80.0.0.0 255.255.255.0 is directly connected, outside
O    192.168.10.0 255.255.255.0 [110/11] via 192.168.30.1, 0:14:02, inside
C    192.168.40.0 255.255.255.128 is directly connected, dmz
O    192.168.20.0 255.255.255.0 [110/11] via 192.168.30.1, 0:14:02, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 80.0.0.254, outside


Code:
PARTNER#sh ip route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     80.0.0.0/24 is subnetted, 1 subnets
C       80.0.0.0 is directly connected, FastEthernet0/0
     93.0.0.0/32 is subnetted, 1 subnets
C       93.93.93.3 is directly connected, Loopback2
     92.0.0.0/32 is subnetted, 1 subnets
C       92.92.92.2 is directly connected, Loopback1
     91.0.0.0/32 is subnetted, 1 subnets
C       91.91.91.1 is directly connected, Loopback0
S*   0.0.0.0/0 is directly connected, Null0


Routing seems to be good. see configuration files for "router ospf"



Let's check running-config (complete configuration is attached)

Code:
ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
!
object network internal_lan10
subnet 192.168.10.0 255.255.255.0
object network internal_lan20
subnet 192.168.20.0 255.255.255.0
object network SRV_in_DMZ
host 192.168.40.1
object-group network Partner_loopback
network-object host 91.91.91.1
network-object host 92.92.92.2
network-object host 93.93.93.3
access-list outside extended permit icmp object-group Partner_loopback host 192.168.40.1
access-list outside extended deny ip any any log
!
object network internal_lan10
nat (inside,outside) dynamic 80.0.0.10
object network internal_lan20
nat (inside,outside) dynamic 80.0.0.20
object network SRV_in_DMZ
nat (dmz,outside) static 80.0.0.2
access-group outside in interface outside
!



Let's check connectivity from PC1 to 91.91.91.1

FROM PC1 (VLAN10)

Code:
VPCS[1]> ping 91.91.91.1
91.91.91.1 icmp_seq=1 timeout
91.91.91.1 icmp_seq=2 ttl=254 time=84.000 ms
91.91.91.1 icmp_seq=3 ttl=254 time=83.000 ms
91.91.91.1 icmp_seq=4 ttl=254 time=51.000 ms
91.91.91.1 icmp_seq=5 ttl=254 time=126.000 ms


result on partner's router:

Code:
PARTNER#debug ip icmp
ICMP packet debugging is on
PARTNER#
*Mar  7 16:35:54.551: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.10
PARTNER#
*Mar  7 16:35:56.523: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.10
PARTNER#
*Mar  7 16:35:57.631: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.10
PARTNER#
*Mar  7 16:35:58.723: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.10
PARTNER#
*Mar  7 16:35:59.803: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.10


FROM PC2 to 91.91.91.1

Code:
VPCS[2]> ping 91.91.91.1
91.91.91.1 icmp_seq=1 timeout
91.91.91.1 icmp_seq=2 ttl=254 time=118.000 ms
91.91.91.1 icmp_seq=3 ttl=254 time=88.000 ms
91.91.91.1 icmp_seq=4 ttl=254 time=101.000 ms
91.91.91.1 icmp_seq=5 ttl=254 time=86.000 ms



Code:
PARTNER#
*Mar  7 16:36:35.423: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.20
PARTNER#
*Mar  7 16:36:37.431: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.20
PARTNER#
*Mar  7 16:36:38.531: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.20
PARTNER#
*Mar  7 16:36:39.639: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.20
PARTNER#
*Mar  7 16:36:40.739: ICMP: echo reply sent, src 91.91.91.1, dst 80.0.0.20
PARTNER#



From PARTNER


Code:
PARTNER#ping 80.0.0.2 source 80.0.0.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 80.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 80.0.0.254
.....
Success rate is 0 percent (0/5)


Seems to be correct because it's not allowed

In logging buffer on ASA:

Code:
ciscoasa# sh logg | inc %ASA-6-106100
%ASA-6-106100: access-list outside denied icmp outside/80.0.0.254(8) -> dmz/192.168.40.1(0) hit-cnt 1 first hit [0xfd0ffa4a, 0x0]



If I use source loopback0 for send my icmp echo

Code:
PARTNER#ping 80.0.0.2 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 80.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 91.91.91.1
!!!!!


The debug on ASA shows me :

Code:
ciscoasa# debug icmp trace
debug icmp trace enabled at level 1
ciscoasa# ICMP echo request from outside:91.91.91.1 to dmz:80.0.0.2 ID=2 seq=0 len=72
ICMP echo request untranslating outside:80.0.0.2 to dmz:192.168.40.1
ICMP echo reply from dmz:192.168.40.1 to outside:91.91.91.1 ID=2 seq=0 len=72
ICMP echo reply translating dmz:192.168.40.1 to outside:80.0.0.2


Code:
ciscoasa# sh access-list
access-list cached ACL log flows: total 1, denied 1 (deny-flow-max 4096)
            alert-interval 300
access-list outside; 4 elements; name hash: 0x1a47dec4
access-list outside line 1 extended permit icmp object-group Partner_loopback host 192.168.40.1 0x5220c040
  access-list outside line 1 extended permit icmp host 91.91.91.1 host 192.168.40.1 [color=#FF0040](hitcnt=4)[/color] 0x396e49c7
  access-list outside line 1 extended permit icmp host 92.92.92.2 host 192.168.40.1 (hitcnt=0) 0x45380c15
  access-list outside line 1 extended permit icmp host 93.93.93.3 host 192.168.40.1 (hitcnt=0) 0xa818ed6a
access-list outside line 2 extended deny ip any any log informational interval 300 (hitcnt=4) 0xfd0ffa4a



See you soon

Mario

Attachments:
R7200_1.txt [1.46 KiB]
Downloaded 2166 times
partner.txt [1.1 KiB]
Downloaded 1090 times
ciscoasa.txt [3.4 KiB]
Downloaded 890 times

Author:  denzo [ Wed May 09, 2012 1:33 am ]
Post subject:  Re: Dynamic PAT and static NAT on ASA 8.4(2)

nice work, thanks for sharing

Author:  n1to [ Wed Oct 10, 2012 4:40 am ]
Post subject:  Re: Dynamic PAT and static NAT on ASA 8.4(2)

Thank you very much for sharing! Figure out how to replicate your topology w/ the ASA connecting to the c7200.

Cheer.

Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/