This topic is to discuss the following lesson:
I dont know exactly what topic to place this question in thats why i am placing it here
i got an opportunity for 3 days to work under a CCIE who was very rude and did not bother to ask him any questions as i knew he was not interested in explaining
i was able to understand all bits till core SW through knowledge of your tutorials on VLAN and routing ,However cannot understand few bits in design at this point
They got a public IP block from ISP lets say 18.104.22.168/27 30 host count
Now the way the IP are assigned is as - 22.214.171.124 => ISP router LAN interface connecting to my ASA
- 126.96.36.199 => Outside interface of my ASA
Then there is CORE-SW- with different and server VLAN and few servers connected to server-vlan and require public access to them (web and email)[no-dmz].
For the purpose hiding internal IP-scheme NAT is configured at ASA pointing to server as follows
So after all this lines my Question WHICH INTERFACE THIS IP 188.8.131.52 - 184.108.40.206 - 220.127.116.11 is assigned ,Where does this IP reside
-Do this IP remain in company network
please explain -As i know no one can expalain better than you in simple way
OH ! ATTACHED IS A DESIGN LAYOUT
Thanks in ADVANCE
If I have many subnets inside my local network.
How can I PAT all of subnets?
i did not understand that answer and did not expect this kind of answer
thanks you any way
that was help ful
When you configure an IP address on the ASA then your ASA will know which IP addresses belong to the subnet. For example, let’s say you have subnet 18.104.22.168/27.
Once you configure 22.214.171.124/27 on the outside interface, your ASA knows that this is a subnet with 30 addresses. You can use any of the addresses in this subnet for NAT and you don’t have to configure these addresses on the interface. Just make sure that it’s not in use…
You could use object groups to “bundle” multiple network objects. You could also configure a bigger subnet range in the network object.
ASA1(config)# object network INSIDE ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0 ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic 192.168.2.253
this tells our firewall to translate traffic from the 192.168.1.0 /24 subnet headed towards the OUTSIDE to IP address 192.168.2.253. If you configure the IP address like this then it has to be an IP address that is not in use on the interface. For example, when I try to use 192.168.2.254 (that’s the IP address on the OUTSIDE interface) then I will get an error
Can you please explain from the above statement if 192.168.2.253 is INSIDE GLOBAL OR DESTINATION IP in the packet that is sourced from INSIDE?
When a host on the inside tries to reach something on the Internet then the destination will be the device on the Internet. For example, a webserver that is reachable on 126.96.36.199 or something.
When the packet reaches the ASA, the 192.168.1.x address will be translated to 192.168.2.253. It translates the source address. 192.168.2.253 is the inside global address.
So, I have an odd situation.
I have a traditional 3-legged set up with my ASA 5505, running 9.2, with security plus license.
Following your design, the inside is the 1 network, dmz is the 3 network and outside is the 2 network. I have an additional host beyond that is 188.8.131.52.
I am just doing what is apparently a traditional PAT, which works from the inside, but not from the outside. I see the icmp requests going out from dmz, but no reply. Because of the security level, does that require something else?
Here is some of the relevant code:
ASA5505# sh run object object network inside subnet 192.168.1.0 255.255.255.0 object network dmz subnet 192.168.3.0 255.255.255.0 ASA5505# sh run nat nat (dmz,outside) source dynamic any interface ! object network inside nat (inside,outside) dynamic interface object network dmz nat (dmz,outside) dynamic interface ASA5505#
My host at 192.168.3.10 can ping its gateway at 192.168.3.1 on the asa.
Inside hosts can ping all hops from gateway 192.168.1.1 to outside 192.168.2.10 to remote host 184.108.40.206
I have no other acls.
So, after wiping out my ASA 5505 configuration and starting over, with the same nat rules as above, and also playing with ACLs like this:
access-list dmz-out extended deny ip object dmz object inside access-list dmz-out extended permit ip object dmz any4
I’ve come to some conclusions.
- the deny line above was used to prevent the dmz traffic to inside (worked)
- that nat, xlate were there.
- that icmp is not allowed out from dmz
- that ssh, and other protocols are allowed out without any ACL, just based on nat.
174: 15:28:50.809345 802.1Q vlan#4 P0 192.168.3.10.65114 > 192.168.2.10.22: F 731092586:731092586(0) ack 902071277 win 32832 <nop,nop,timestamp 3218242 3220456> 175: 15:28:50.819888 802.1Q vlan#4 P0 192.168.2.10.22 > 192.168.3.10.65114: . ack 731092586 win 32780 <nop,nop,timestamp 3220468 3218241> 176: 15:28:50.819919 802.1Q vlan#4 P0 192.168.2.10.22 > 192.168.3.10.65114: F 902071277:902071277(0) ack 731092586 win 32832 <nop,nop,timestamp 3220471 3218241> 177: 15:28:50.822009 802.1Q vlan#4 P0 192.168.3.10.65114 > 192.168.2.10.22: F 731092586:731092586(0) ack 902071278 win 32831 <nop,nop,timestamp 3218258 3220471> 178: 15:28:50.823535 802.1Q vlan#4 P0 192.168.2.10.22 > 192.168.3.10.65114: . ack 731092587 win 32831 <nop,nop,timestamp 3220480 3218258> 179: 15:28:59.991739 802.1Q vlan#4 P0 192.168.3.10.57911 > 192.168.2.10.23: S 3651934508:3651934508(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 3227424 0,sackOK,eol> 180: 15:28:59.993524 802.1Q vlan#4 P0 192.168.2.10.23 > 192.168.3.10.57911: S 2606032245:2606032245(0) ack 3651934509 win 65535 <mss 1380,nop,wscale 1,nop,nop,timestamp 3229649 3227424,sackOK,eol> 181: 15:28:59.996255 802.1Q vlan#4 P0 192.168.3.10.57911 > 192.168.2.10.23: . ack 2606032246 win 32832 <nop,nop,timestamp 3227428 3229649>
So, in conclusion, it all works just fine. Its likely a limitation or “security feature” of the 5505, but not because of the security-level on the dmz interface (security-level 50).
Thanks for sharing that valuable information from your experience!
I am still not clear with the ASA order of operation. I think its different before 8.3 and after 8.3 IOS. Can some one help me in understanding it? .
Nat rule–> access rule —> route look up –
access rule —> nat rule —> route lookup
The order of operation depends on if the NAT involved is source NAT or destination NAT. Specifically:
For ASA versions before AND after 8.3 with SOURCE NAT, the order of operation does NOT change. That is:
1 Routing, 2 Inbound ACL, 3 NAT
For ASA versions BEFORE 8.3 and DESTINATION NAT, the order of operation is as follows:
1 ACL 2 Destination NAT 3 Routing
For ASA versions AFTER 8.3 and DESTINATION NAT, the order of operation is as follows:
1 Destination NAT/Partial routing* 2 ACL
*Partial routing refers to the determination of the exit interface based on the NAT rule.
I hope this has been helpful!
thanks its clear now
HI i need explanation about NAT sections in ASA. Please help me on this topic
Anything in particular? I have quite some NAT/PAT examples for the ASA:
Take a look at unit 2.
In your example only configure PAT for a single outside IP address, If I have a pool of outside IP address and i want to configure Dynamic NAT and PAT in the same time. What i need to do ?
Please help me check this out Thank you
In the example in the lesson, the PAT configuration uses a range of internal addresses defined by
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
and translates them to a single outside address using this command:
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic 192.168.2.253
If you want to have a pool of outside addresses, you could use the following command instead:
ASA1(config-network-object)# nat (inside,outside) dynamic pat-pool IP_POOL
where IP_POOL is an access list defining a pool of addresses.
Now let’s say you have a range of outside addresses from 220.127.116.11 to 18.104.22.168. You can define a pool to be used for PAT as 22.214.171.124 to 126.96.36.199 and have an internal subnet be mapped to that range using PAT. Now PAT is a many-to-one mapping of internal IP addresses to external IP addresses.
Now dynamic NAT is a one-to-one mapping of internal to external IP addresses. On the same interface you can configure dynamic NAT to use external IP addresses 188.8.131.52 and 184.108.40.206 to translate dynamically to a range of (two) internal addresses.
I hope this has been helpful!
When I try to enter:
ASA1(config)# object network INSIDE_TO_OUTSIDE ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic interface
I get the following error:
ERROR: empty object/object-group(s) detected. NAT Policy is not downloaded
I’m new to ASA and don’t know what the problem is, any ideas?
It looks like NAT can’t find the addresses that are identified as inside and/or outside. They look like they’re undefined for some reason. There are several things you may need to look at.
First, verify that you have successfully identified and configured your INSIDE and your OUTSIDE interfaces. If that is OK, then you may just need to reset the NAT configuration. To do so, copy your existing NAT config to a text editor, do
clear configuration nat and then reapply. The process sometimes gets “stuck”. This is known to occur with version 8.4.5.
I hope this has been helpful!
Thanks Laz, I’ll give it a shot!