Solved

CISCO ASA NAT

Posted on 2013-05-20
6
562 Views
Last Modified: 2013-05-24
Need the following config sanity checked:

This should NAT hosts from [company_cust_Subnets] when going to [cust_terminal_Servers]
it will translate the source ip to one from [cust_NAT_Translated_IP_Pool]

ASA IOS - 9.1(1)

***************************************************

nat (Internal,cust-LES) 1 source dynamic company_cust_Subnets Translated_IP_Pool destination static cust_terminal_Servers cust_terminal_Servers


***************************************************

object network Translated_IP_Pool
 range 192.168.0.1 192.168.0.254

***************************************************

object network Internal_Subnets
 subnet 172.22.0.0 255.255.255.0

object network cust_terminal_Servers
 host 192.168.2.254


***************************************************
0
Comment
Question by:Munkymajik888
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39181590
It appears good, but I don't have a way to test that at the moment.
0
 
LVL 2

Author Comment

by:Munkymajik888
ID: 39181647
Thanks - ive only really got one window to impliment the change and the client will be on site so ill be under scruitiny.

Also i dont have a test lab setup for this either... note to self.... make ASA test lab with GNS3...

Just really need someone to say - that will (99.9% sure) do what you intend it to do.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 39181727
Got it tested, and it looks good.

R1 - (inside)ASA(outside) - R2

R1#sh run
Building configuration...

Current configuration : 702 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name lab.local
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 172.22.0.100 255.255.255.0
 duplex auto
 speed auto
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.22.0.1
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

R1#

Open in new window



R2#sh run
Building configuration...

Current configuration : 792 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name lab.local
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.2.100 255.255.255.0 secondary
 ip address 192.168.2.254 255.255.255.0
 duplex auto
 speed auto
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 password cisco
 login
!
!
end

R2#

Open in new window



ciscoasa# more system:running-config
Cryptochecksum: d8c486fe 65aebf59 6c470fd8 80fd9985
: Saved
: Written by enable_15 at 16:14:50.589 UTC Mon May 20 2013
!
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 172.22.0.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network Translated_IP_Pool
 range 192.168.0.1 192.168.0.254
object network Internal_Subnets
 subnet 172.22.0.0 255.255.255.0
object network cust_terminal_Servers
 host 192.168.2.254
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic Internal_Subnets Translated_IP_Pool destination static cust_terminal_Servers cust_terminal_Servers
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:d8c486fe65aebf596c470fd880fd9985
: end

ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic Internal_Subnets Translated_IP_Pool   destination static cust_terminal_Servers cust_terminal_Servers
    translate_hits = 1, untranslate_hits = 0
ciscoasa# show xlate
1 in use, 1 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:172.22.0.100 to outside:192.168.0.178 flags i idle 0:03:01 timeout 3:00:00
ciscoasa#

Open in new window



I made two telnet connections from R1 to R2. One to 192.168.2.254, and another to 192.168.2.100 (secondary IP)

R2#who
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:01:03
 130 vty 0                idle                 00:01:57 192.168.0.178
*131 vty 1                idle                 00:00:00 172.22.0.100

  Interface    User               Mode         Idle     Peer Address

R2#

As you can see, the source IP changed based on the destination so you are looking good. The only thing I changed was "company_cust_Subnets" in th nat statement referenced an object that didn't exist so I changed it to "Internal_Subnets".
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 2

Author Comment

by:Munkymajik888
ID: 39182345
Awesome! Thanks for that!

Ill be putting this on 2moro by the looks of things - ill let you know how I get on.

ta
0
 
LVL 2

Author Comment

by:Munkymajik888
ID: 39193768
Hi there - sorry for the delay

Not been able to apply this config yet as weve had other issues - ill mark this as completed tho as ive had confirmation from another source that this is good to go

thanks for you assistance

G
0
 
LVL 2

Author Closing Comment

by:Munkymajik888
ID: 39193771
Very good response to my question

Thanks
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question