Solved

CISCO ASA NAT

Posted on 2013-05-20
6
554 Views
Last Modified: 2013-05-24
Need the following config sanity checked:

This should NAT hosts from [company_cust_Subnets] when going to [cust_terminal_Servers]
it will translate the source ip to one from [cust_NAT_Translated_IP_Pool]

ASA IOS - 9.1(1)

***************************************************

nat (Internal,cust-LES) 1 source dynamic company_cust_Subnets Translated_IP_Pool destination static cust_terminal_Servers cust_terminal_Servers


***************************************************

object network Translated_IP_Pool
 range 192.168.0.1 192.168.0.254

***************************************************

object network Internal_Subnets
 subnet 172.22.0.0 255.255.255.0

object network cust_terminal_Servers
 host 192.168.2.254


***************************************************
0
Comment
Question by:Munkymajik888
  • 4
  • 2
6 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39181590
It appears good, but I don't have a way to test that at the moment.
0
 
LVL 2

Author Comment

by:Munkymajik888
ID: 39181647
Thanks - ive only really got one window to impliment the change and the client will be on site so ill be under scruitiny.

Also i dont have a test lab setup for this either... note to self.... make ASA test lab with GNS3...

Just really need someone to say - that will (99.9% sure) do what you intend it to do.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 39181727
Got it tested, and it looks good.

R1 - (inside)ASA(outside) - R2

R1#sh run
Building configuration...

Current configuration : 702 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name lab.local
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 172.22.0.100 255.255.255.0
 duplex auto
 speed auto
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.22.0.1
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

R1#

Open in new window



R2#sh run
Building configuration...

Current configuration : 792 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name lab.local
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.2.100 255.255.255.0 secondary
 ip address 192.168.2.254 255.255.255.0
 duplex auto
 speed auto
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 password cisco
 login
!
!
end

R2#

Open in new window



ciscoasa# more system:running-config
Cryptochecksum: d8c486fe 65aebf59 6c470fd8 80fd9985
: Saved
: Written by enable_15 at 16:14:50.589 UTC Mon May 20 2013
!
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 172.22.0.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network Translated_IP_Pool
 range 192.168.0.1 192.168.0.254
object network Internal_Subnets
 subnet 172.22.0.0 255.255.255.0
object network cust_terminal_Servers
 host 192.168.2.254
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic Internal_Subnets Translated_IP_Pool destination static cust_terminal_Servers cust_terminal_Servers
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:d8c486fe65aebf596c470fd880fd9985
: end

ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic Internal_Subnets Translated_IP_Pool   destination static cust_terminal_Servers cust_terminal_Servers
    translate_hits = 1, untranslate_hits = 0
ciscoasa# show xlate
1 in use, 1 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:172.22.0.100 to outside:192.168.0.178 flags i idle 0:03:01 timeout 3:00:00
ciscoasa#

Open in new window



I made two telnet connections from R1 to R2. One to 192.168.2.254, and another to 192.168.2.100 (secondary IP)

R2#who
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:01:03
 130 vty 0                idle                 00:01:57 192.168.0.178
*131 vty 1                idle                 00:00:00 172.22.0.100

  Interface    User               Mode         Idle     Peer Address

R2#

As you can see, the source IP changed based on the destination so you are looking good. The only thing I changed was "company_cust_Subnets" in th nat statement referenced an object that didn't exist so I changed it to "Internal_Subnets".
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 2

Author Comment

by:Munkymajik888
ID: 39182345
Awesome! Thanks for that!

Ill be putting this on 2moro by the looks of things - ill let you know how I get on.

ta
0
 
LVL 2

Author Comment

by:Munkymajik888
ID: 39193768
Hi there - sorry for the delay

Not been able to apply this config yet as weve had other issues - ill mark this as completed tho as ive had confirmation from another source that this is good to go

thanks for you assistance

G
0
 
LVL 2

Author Closing Comment

by:Munkymajik888
ID: 39193771
Very good response to my question

Thanks
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now