Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

CISCO ASA NAT

Posted on 2013-05-20
6
Medium Priority
?
571 Views
Last Modified: 2013-05-24
Need the following config sanity checked:

This should NAT hosts from [company_cust_Subnets] when going to [cust_terminal_Servers]
it will translate the source ip to one from [cust_NAT_Translated_IP_Pool]

ASA IOS - 9.1(1)

***************************************************

nat (Internal,cust-LES) 1 source dynamic company_cust_Subnets Translated_IP_Pool destination static cust_terminal_Servers cust_terminal_Servers


***************************************************

object network Translated_IP_Pool
 range 192.168.0.1 192.168.0.254

***************************************************

object network Internal_Subnets
 subnet 172.22.0.0 255.255.255.0

object network cust_terminal_Servers
 host 192.168.2.254


***************************************************
0
Comment
Question by:Munkymajik888
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39181590
It appears good, but I don't have a way to test that at the moment.
0
 
LVL 2

Author Comment

by:Munkymajik888
ID: 39181647
Thanks - ive only really got one window to impliment the change and the client will be on site so ill be under scruitiny.

Also i dont have a test lab setup for this either... note to self.... make ASA test lab with GNS3...

Just really need someone to say - that will (99.9% sure) do what you intend it to do.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 2000 total points
ID: 39181727
Got it tested, and it looks good.

R1 - (inside)ASA(outside) - R2

R1#sh run
Building configuration...

Current configuration : 702 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name lab.local
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 172.22.0.100 255.255.255.0
 duplex auto
 speed auto
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.22.0.1
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

R1#

Open in new window



R2#sh run
Building configuration...

Current configuration : 792 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name lab.local
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.2.100 255.255.255.0 secondary
 ip address 192.168.2.254 255.255.255.0
 duplex auto
 speed auto
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 password cisco
 login
!
!
end

R2#

Open in new window



ciscoasa# more system:running-config
Cryptochecksum: d8c486fe 65aebf59 6c470fd8 80fd9985
: Saved
: Written by enable_15 at 16:14:50.589 UTC Mon May 20 2013
!
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 172.22.0.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network Translated_IP_Pool
 range 192.168.0.1 192.168.0.254
object network Internal_Subnets
 subnet 172.22.0.0 255.255.255.0
object network cust_terminal_Servers
 host 192.168.2.254
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic Internal_Subnets Translated_IP_Pool destination static cust_terminal_Servers cust_terminal_Servers
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:d8c486fe65aebf596c470fd880fd9985
: end

ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic Internal_Subnets Translated_IP_Pool   destination static cust_terminal_Servers cust_terminal_Servers
    translate_hits = 1, untranslate_hits = 0
ciscoasa# show xlate
1 in use, 1 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:172.22.0.100 to outside:192.168.0.178 flags i idle 0:03:01 timeout 3:00:00
ciscoasa#

Open in new window



I made two telnet connections from R1 to R2. One to 192.168.2.254, and another to 192.168.2.100 (secondary IP)

R2#who
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:01:03
 130 vty 0                idle                 00:01:57 192.168.0.178
*131 vty 1                idle                 00:00:00 172.22.0.100

  Interface    User               Mode         Idle     Peer Address

R2#

As you can see, the source IP changed based on the destination so you are looking good. The only thing I changed was "company_cust_Subnets" in th nat statement referenced an object that didn't exist so I changed it to "Internal_Subnets".
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:Munkymajik888
ID: 39182345
Awesome! Thanks for that!

Ill be putting this on 2moro by the looks of things - ill let you know how I get on.

ta
0
 
LVL 2

Author Comment

by:Munkymajik888
ID: 39193768
Hi there - sorry for the delay

Not been able to apply this config yet as weve had other issues - ill mark this as completed tho as ive had confirmation from another source that this is good to go

thanks for you assistance

G
0
 
LVL 2

Author Closing Comment

by:Munkymajik888
ID: 39193771
Very good response to my question

Thanks
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question