asa version 9.1 nat hands-on configuration...

ASA version 9.1 NAT Hands-on Configuration Lab LTRSEC-3023

Gerard van Bon - CSE Security

Markus Frey - CSE Security

2

© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public

Introduction

Who created this lab

Why we wanted to create this Lab

What we hope you get out of it

Jay Johnston [email protected] Technical Leader, Services 9 years @ Cisco

David White [email protected] Technical Leader, Services 13 years @ Cisco

mailto:[email protected]

mailto:[email protected]


Agenda

4 hour class with 5 hands-on Labs

Format is alternating Lecture… then Lab

Lectures will focus on NAT migration and configuring NAT on the ASA

For each Lab, you will have approximately 20 minutes

After each Lab, we will walk through the solution

There will be 1 – 15 minute break


Lab Design

By Popular Demand This Lab is designed around ASDM!

However… we are CLI guys, so we have added that in there too :-)

5

Background Knowledge NAT Migration Upgrading the ASA to version 8.3+


The Basics

ASA Version 8.3 is syntactically very different from all previous versions

The core of the ASA – NAT and ACLs were both fundamentally altered

If you were used to the old CLI style, it is a big adjustment

8.3 Upgrade Information

7

1. NAT configuration is completely different, and can be applied both in

nat commands as well as in a network object

2. Real-IPs are used in ACLs, instead of NATed IPs

3. NAT statements only accept named objects – no more IP addresses

Key Changes


Version 8.3+ Upgrade Information

Increased memory requirements

ASA-5505s through ASA-5540s shipped before Feb 2010 do not meet minimum memory requirements for 8.3+

Memory should be upgraded prior to upgrading to 8.3+

Zero-downtime upgrade is supported from 8.2 to 8.3

Upgrade Considerations

8

ASA-5505

https://supportforums.cisco.com/docs/DOC-11643

ASA-5510 through ASA-5540

http://www.cisco.com/en/US/docs/security/asa/hw/video/5500/asa_5510_mem_upgd.html

ASA Memory Upgrade Videos




http://www.cisco.com/en/US/docs/security/asa/hw/video/5500/asa_5510_mem_upgd.html


Version 8.3+ Upgrade Information Memory Requirement Matrix

9

ASA License

Pre-8.3

Memory

Requirement

8.3+ Memory

Requirement Memory Part Number

5505 All other licenses 256 MB 256 MB No Memory Upgrade

Needed

5505 Unlimited Inside Hosts 256 MB 512 MB ASA5505-MEM-512=

5505 Security Plus (failover) 256 MB 512 MB ASA5505-MEM-512=

5510 All licenses 256 MB 1024 MB ASA5510-MEM-1GB=



5550 All licenses 4096 MB 4096 MB No Memory Upgrade

Needed

558x All licenses 8-24 GB 8-24 GB No Memory Upgrade

Needed

For your

reference



Cisco only supports upgrade from 8.2 to either 8.3 or 8.4

Incremental upgrade steps might be necessary

Upgrade Paths

10

7.0

7.1

7.2

8.0 8.1 (5580 ONLY)

8.2

8.3

8.4

ASA 5505-5550 ASA 5580 ASA 5585

EOL

EOL

EOL

EOL

For your

reference



Upgrade process is identical to all previous upgrades

– From the CLI – set the first boot system command to be the new image

– From ASDM – under Device Management Boot Image

At boot, ASA reads startup config. If the version in the startup-config is less than 8.3 and the nat_ident_migrate file is not in flash, the ASA determines this is an upgrade and automatically initiates the config conversion process.

How to Upgrade

11

ASA-5520# show startup-config

: Saved

: Written by dwhitejr at 09:55:35.534 UTC Tue Apr 17 2012

!

ASA Version 8.2(5)

!

hostname ASA-5520

domain-name cisco.com

enable password TRPEas6f/aa6JSPL level 1 encrypted

Version < 8.3,

convert config


ASDM Upgrade Process

In ASDM, Select:

Configuration Device Management System Image/Configuration Boot Image/Configuration

Then Reload

Tools System Reload

Set Boot Image

12



After first boot, the running config will contain the new, upgraded/converted configuration

The startup-config still maintains the ‘old’ config

Issue a ‘write memory’ to save the upgraded config to startup.

The upgrade process saves the following files to disk:

First Boot

13

<version>_startup_cfg.sav

upgrade_startup_errors_<timestamp>.log

nat_ident_migrate

Pre-converted config file

Informational Messages,

Warnings, and Conversion

Errors. Flag (zero-byte file) indicating

config migration took place



Examine the contents of the upgrade_startup_errors… file

First Boot

14

ASA-5520-2# more disk0:/upgrade_startup_errors_201206010013.log

INFO: MIGRATION - Saving the startup errors to file

'flash:upgrade_startup_errors_201206010013.log'

Reading from flash...

!

REAL IP MIGRATION: WARNING

In this version access-lists used in 'access-group', 'class-map',

'dynamic-filter classify-list', 'aaa match' will be migrated from

using IP address/ports as seen on interface, to their real values.

If an access-list used by these features is shared with per-user ACL

then the original access-list has to be recreated.

INFO: Note that identical IP addresses or overlapping IP ranges on

different interfaces are not detectable by automated Real IP migration.

If your deployment contains such scenarios, please verify your migrated

configuration is appropriate for those overlapping addresses/ranges.

Please also refer to the ASA 8.3 migration guide for a complete

explanation of the automated migration process.

INFO: MIGRATION - Saving the startup configuration to file

INFO: MIGRATION - Startup configuration saved to file

'flash:8_2_5_0_startup_cfg.sav'



If you encounter problems after upgrading and cannot troubleshoot, you must use the downgrade CLI command

Simply changing the boot variable back to the older image will cause issues such as NAT config loss

Specify the old image and auto-saved pre-upgrade config file

Downgrade Procedure

15

ASA# downgrade disk0:/asa825-k8.bin disk0:/8_2_5_0_startup_cfg.sav

The device will reload and downgrade to the specified image.

Press [Y]es or <newline> to confirm (any other key will abort):Y

INFO: Boot parameters cleared

INFO: Boot system configured to be disk0:/asa825-k8.bin

Cryptochecksum: 649f039b 0c1e911f 73cf3717 d93017a9

3616 bytes copied in 1.740 secs (3616 bytes/sec)

INFO: Saving disk0:/8_2_5_0_startup_cfg.sav to startup-config

Copy in progress...C

3550 bytes copied in 0.10 secs

Process shutdown finished

Rebooting…

Let the Fun Begin!


Objective

The objective is simple, keep your web server up (100% availability).

Watch the status of your server on the screen. Green means UP Red means Down


Lab – General Rules

1. Do Not – Remove the IP Address from your ASA

2. Do Not – Shutdown any of the Interfaces on your ASA

3. Do Not – Block SSH access to your ASA (by modifying the ‘ssh …’ commands

4. Do Not – Remove/Change usernames or passwords

5. Do Not – Modify the AAA configuration

6. Do Not – Block access from our monitoring server (10.1.1.211) to your web server

7. Please see us if you feel the need to ‘reboot’ your ASA


Lab – Initial Connectivity

The Lab Guide provides the topology and all connectivity information.

Follow the steps there to:

1. Establish the SSH Session to your ASA

2. Verify your Web Server is serving up your web page


Lab - Topology

10.2.XX.0/24

10.3

.XX

.0/2

4

10

.4.X

X.0

/24

192.168.1.0/24

XX = Pod Number

SSH Authentication: Use Putty to 10.2. XX.2 user: cisco pass: cisco

ASDM Authentication: https://10.2. XX.2 user: cisco pass: cisco

Web Server

10.3.XX.50

HTTP to Web Server

SSH to Outside of ASA

.1 .2

Insid

e

Outside

DM

Z

Web Server

10.3.XX.60


Important Notes

The ASAs are in production, so only make changes to them that you would make on your own production ASAs to turn up new services.

After each lab, we will reset the configurations to a default state, and you will be kicked out. You will lose your SSH/ASDM connection and will need to reconnect.


LAB 1

You have been hired as a civilian Networking Expert for the US Fast Attack Submarine fleet stationed at Naval Base San Diego.

Preparations are currently underway for the USS Magnus to be deployed. Your job is to upgrade the USS Magnus’ ASA from version 8.2 to version 8.4, and verify access to the dive control system web server behind the ASA.

Network Objects


object network Servers

The Basics

A network object is a named container which holds:

• An IP (host, network, range, or FQDN)

• (Optional) Description

• (Optional) NAT rule - for the object

What is a Network Object?

25

host 192.168.1.2

subnet 10.1.0.0 255.255.0.0

range 10.1.1.1 10.1.1.254

fqdn www.cisco.com

description Server Net

nat static 209.165.200.3


Network Objects

You use Network Objects to identify ‘things’

Apply the Network Objects in:

• Object-groups

• Access-lists

• NAT Rules

26

WebServer

host 10.1.1.3

ServerNet

subnet 10.1.1.0

255.255.255.0

ClientRange

range 10.1.1.3

10.1.1.5

object-group network ServerFarm

network-object object WebServer

network-object object ServerNet

access-list outside permit tcp any object WebServer eq 80

nat (inside,outside) source static WebServer PublicWebServer


Creating a Network Object

Configuration Firewall Objects Network Objects/Groups

Add Network Object

ASDM (and CLI)

27

object network WebServer

host 10.1.1.3

CLI


Creating a Network Object

Additionally, in ASDM Network Objects can be created in many other places.

In the workflows of Access-Rules or NAT Rules

ASDM (and CLI)

28


Network Objects

Upon upgrade, the ASA converts all IPs used in NAT (static, nat and global commands) to objects.

The objects are named starting with obj- followed by the IP or network Example: obj-10.2.2.3

For large networks, this is the easiest naming scheme to follow

Small networks may choose to name their objects with more contextual / real names Example: WebServer Note: this causes manual recursion for CLI users not experienced with the names

Naming Conventions

29

Object NAT NAT defined within and object


Object NAT (Auto-NAT)

Object NAT is the simplest form of NAT, and is defined within a network object

Need to identify

1. If the object is static, or dynamically translated

2. (Optionally) What interfaces the translation applies (Appears under the Advanced button in ASDM)

Can specify the Translated address by IP!

31


Object NAT (Auto-NAT) ASDM Rule View

32


Object NAT (Auto-NAT) Creation in ASDM

33

Type of Network Object

Type of NAT to

Apply to the Object


Object-NAT (Auto-NAT) CLI Examples of Object NAT

object network obj-WebServer

host 10.3.19.50

nat (inside,outside) static 198.51.100.50

object network Servers

subnet 10.0.54.0 255.255.255.0


object network InternalUsers

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) dynamic interface

Host Based Object NAT

Network Based Object NAT

Dynamic PAT (interface overload) Object NAT

Manual NAT Also called “Twice NAT”


Manual NAT (Twice NAT)

Manual NAT is used to specify how to translate traffic depending on the Destination IP/subnet of the packet

Manual NAT rules can come ‘before’ Object NAT rules (default) (Section 1)

‘after-auto’ – after the Object NAT rules (Section 3).

Manual NAT Rules

Manual NAT Rules

Object NAT Rules Section 1

Section 2

Section 3

Creating Manual NAT rules in ASDM



Manual NAT is configured using only Objects or Object-Groups – NO IPs!

Manual NAT is also called Twice-NAT because it can specify how to translate the source and the destination of the packet (“NAT the packet twice”)

If the Manual NAT line specifies an identity translation for the destination, then the destination is not changed, and the destination is simply used to match the packet.

Translate Translate

Source Destination


Manual NAT ASDM Breakdown – Source Translated

38

Forward

Flow Reverse

Flow

Translate

Source ‘Match’

Destination

‘Match’ Source Un-NAT

Destination


Manual NAT ASDM Breakdown - Twice NAT

39

Forward

Flow Reverse

Flow

Translate

Source Translate

Destination

Un-NAT Source Un-NAT

Destination


nat (in,out) source static inLocal inGlobal destination static outGlobal outLocal

Manual NAT command breakdown

Specify interfaces the

NAT rule applies to

Translate the source

statically (one to one)

Change the source IP

from ‘inLocal’ to ‘inGlobal’

For the packet to match

this translation the

destination IP must match

‘outGlobal’

Translate the destination

statically (one to one)

Change the destination IP

from ‘outGlobal’ to

‘outLocal’


Manual NAT

Manual NAT can be used for policy NAT (NAT depending on the destination IP address)

Example configuration

object network ServerReal

host 10.3.19.50

object network ServerTrans

host 198.51.100.50

object network RemoteSite

subnet 10.0.0.0 255.255.255.0

nat (inside,outside) source static ServerReal ServerTrans destination static RemoteSite

RemoteSite

Static Policy NAT

nat (inside,outside) source static ServerReal ServerTrans

Static NAT



Manual NAT should be used to translate the destination, or for policy NAT


host 10.3.19.50


host 198.51.100.50

object network RemoteSite

subnet 10.0.0.0 255.255.255.0

object network RemoteTrans

subnet 203.0.113.0 255.255.255.0

nat (inside,outside) source static ServerReal ServerReal destination static RemoteSite RemoteSite

Static Policy NAT – NAT Exemption (for VPN)

nat (inside,outside) source static ServerReal ServerTrans destination static RemoteSite RemoteTrans

Static - Twice NAT

Translate

Source IP

Translate

Destination IP


NAT Order of Operations

The ASA configuration is built into the NAT Table (show nat)

The NAT Table is based on First Match (top to bottom)

Manual NAT Policies

(Section 1)

Auto NAT Policies

(Section 2)

Manual NAT [after auto] Policies

(Section 3)

Static NAT

Dynamic NAT

NAT Table

Longest Prefix

Shortest Prefix

Longest Prefix

Shortest Prefix

First Match

(in config)

First Match

(in config)


NAT Order of Operations ASA# show run nat

nat (inside,outside) source dynamic Users1 NATPool1


!

object network Users2

nat (inside,outside) dynamic NATPool2

object network SecureServ


!

nat (inside,outside) after-auto source dynamic Users3 NATPool3

nat (inside,outside) after-auto source static Servers ServersTrans

ASA# show nat

Manual NAT Policies (Section 1)

1 (inside) to (outside) source dynamic Users1 NATPool1

translate_hits = 3321, untranslate_hits = 0

2 (inside) to (outside) source static ServerReal ServerTrans


Auto NAT Policies (Section 2)

1 (inside) to (outside) source static SecureServ 203.0.113.82







2 (inside) to (outside) source static Servers ServersTrans


NAT line hit counts

increment when new

connections match

NAT rule


Real-IP

Finally, a reminder that with 8.3+ Real-IPs are used in ACLs

object network obj-WebServer

host 10.3.19.50


!

access-list allowIn permit tcp any host 10.3.19.50 eq 80

!

access-group allowIn in interface outside

Real, UnTranslated address

of internal Server

198.51.100.50

Web Server

10.3.19.50

outside

10.3.19.50

inside

Inbound ACL permits traffic

destined to 10.3.19.50


NAT Troubleshooting using TCP Ping

New troubleshooting tool added in ASA ver 8.4.1

Why is it needed??? Consider the following…

www server

(209.165.200.225) 10.1.1.7



Previously – limited reachability tools: Ping and Traceroute

Access to client machine?

www server

(209.165.200.225)

ICMP Echo Request

ICMP Echo Reply

ICMP Echo Request

ICMP Echo Reply ICMP Echo Reply

ICMP Echo Request

Attempts to validate the path

…but with ICMP

What about

NAT and/or PAT?

10.1.1.7



Sources TCP SYN packet with Client’s IP and injects it into Client’s interface of the ASA

Internal hosts are PATed

to 198.51.100.2

www server

(209.165.200.225) 10.1.1.7

inside outside

Packet with SRC

of 10.1.1.7 injected

on Inside interface

Packet PATed to

198.51.100.2

on Egress

ASA Datapath

Validated

(NAT, ACLs, etc)

TCP SYN sent

to server

TCP SYN+ACK

sent from server


TCP Ping – The Big Picture

Validates 2 of the 3 legs of the connection from client to server

www server

(209.165.200.225) 10.1.1.7

inside outside

TCP path from client side of ASA

to Server through the cloud

-Validated-

2nd Leg 1st Leg 3rd Leg


TCP Ping - Example

www server

(209.165.200.225) 10.1.1.7

inside outside

asa# ping tcp

Interface: inside

Target IP address: 209.165.200.225

Target IP port: 80

Specify source? [n]: y

Source IP address: 10.1.1.7

Source IP port: [0]

Repeat count: [5]

Timeout in seconds: [2]

Type escape sequence to abort.

Sending 5 TCP SYN requests to 209.165.200.225 port 80

from 10.1.1.7 starting port 3465, timeout is 5 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Specify Client’s

source Interface

Specify Client’s

real IP Address


LAB 2

The ASA upgrade on the USS Magnus went without a hitch, and your Commanders are impressed! Of course, the reward for a job well done is more work, and you have been deployed to the submarine the USS Carrington. A new ballistic missile control system is being deployed on the sub, and you are tasked with configuring NAT so that Central Command has access to the servers remotely

Using Object NAT, translate the dive control web server on the inside from 10.3.XX.50 to 209.165.XX.5 on the outside

Using Manual NAT, translate the ballistic missile control web server on the inside from 10.3.XX.60 to 209.165.XX.7 on the outside

Use static one-to-one translations, but only permit access to the Fire control system’s web interface.


Object NAT vs. Manual NAT

Object NAT and Manual NAT are functionally equivalent.


host 10.3.19.50


host 198.51.100.50


nat (inside,outside) source static ServerTrans

Object NAT


Manual NAT



The difference is where the entries exist in the NAT table (different sections)

ASA# show nat detail




Source - Origin: 10.3.19.50/32, Translated: 198.51.100.50/32







Objects are re-usable throughout the configuration. Use them if you can, and define NAT within them (easy to change IP addresses)

Can reference global IP without creating a new object

NAT Table is automatically ordered, avoids most accidental NAT configuration overlaps

When to use either type?

Manual NAT

Object NAT

Required for translating based on destination IP address (Policy-NAT)

Required for NAT Exemption (No NAT for VPN traffic)

Allows for complete control of NAT configuration ordering


NAT: Using ‘Any’ interface designator

Example: All packets sourced AND destined to RFC 1918 (local) networks should not be translated through the ASA

Allows a NAT rule to apply to ANY interface


NAT: Using ‘Any’ interface designator

Ex: Translate a DMZ server to the same global IP on ALL 200 ASA interfaces

dm

z

172.16.12.4

NAT: 209.165.200.125

Use global ACL rule to permit traffic to real address of server

If the server’s IP address changes, no problem! Just edit the

object and the NAT and ACL rules are taken care of


LAB 3

You’ve been at sea for three weeks now. Based on your stellar performance, the Captain has promoted you. You now manage the Sub Fleet’s Networking group. Congratulations! You have just been deployed on a training mission to the USS Robertson, where you will update the network team on the fleet’s new security practices

While in the mess hall, you overhear one of your trainees telling a teammate that “ASA NAT rules MUST ALLWAYS be configured from the inside to the outside, and never from outside to inside”. You pull the engineer aside and take him to the ship’s network center to show him he is mis-informed

First create a Manual NAT the dive control system (10.3.XX.50) to the global IP Address of 209.165.XX.5 when passing from the Inside to the Outside. Next, you will delete that rule and add an equivalent inverted rule from the Outside to the Inside. In both cases you will be able to access the webserver via the Global IP Address of 209.165.XX.5


NAT Troubleshooting: ASDM Packet Tracer

Packet Tracer allows you to trace the packet as it passes through the ASA

You can trace either a crafted packet, or a packet that was previously captured


Packet Tracer

Pod19# capture out interface outside access-list cap trace

Pod19# show capture out

. . .

43: 19:30:24.765615 802.1Q vlan#5 P0 10.1.1.211.43730 > 10.3.19.50.80: S

612034548:612034548(0) win 5840 <mss 1460,sackOK,timestamp 372044700

0,nop,wscale 6>

Pod19# show capture out trace packet-number 43

Trace Captured Packet

Pod32# packet-tracer input inside icmp 10.3.32.20 8 0 192.168.1.1

…

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj-10.3.32.20


Additional Information:

Static translate 10.3.32.20/0 to 209.165.200.225/0

Packet Tracer from CLI


NAT Troubleshooting: ‘show nat’ CLI

Prior to 8.3, show xlate was the best command to use for troubleshooting NAT issues.

With the NAT changes introduced in 8.3, one should now use the show nat detail command

Allows for visibility of IPs/Networks within an object


Pod19# show nat detail


1 (dmz) to (outside) source static obj-10.3.19.98 obj-209.165.200.252 destination

static obj-209.165.201.0 obj-209.165.201.0



Destination - Origin: 209.165.201.0/24, Translated: 209.165.201.0/24


1 (inside) to (outside) source static obj-HR-unixServer 209.165.200.225



2 (inside) to (outside) source static obj-HR-linuxServer 209.165.200.227



show xlate vs. show nat detail Pod19# show xlate

14 in use, 16 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

NAT from dmz:10.3.19.98 to outside:209.165.200.252

flags s idle 0:00:07 timeout 0:00:00

NAT from inside:10.3.19.20 to outside:209.165.200.225


NAT from inside:10.3.19.22 to outside:209.165.200.227


Real

(UnMapped) IP

Translated

(Mapped) IP

Real (UnMapped)

Source IP Translated (Mapped)

Source IP

Real (UnMapped)

Destination IP Translated (Mapped)

Destination IP


Object-NAT (Auto-NAT)

NAT with PAT overload can also be configured within Object NAT, but requires nested configuration

object network NATPool

range 209.165.201.1 209.165.201.250

object network PAT-1

host 209.165.201.251

object network PAT-2

host 209.165.201.252

!

object-group network nat-pat-group

network-object object NATPool

network-object object PAT-1

network-object object PAT-2

!

object network InternalUsers

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) dynamic nat-pat-group


NAT Advanced Features: One-to-many mapping

Translate one inside host to two different global IPs on an interface

65

webServer

webServerGlobal1

webServerGlobal2

object network webServer

host 192.168.1.99

object network webServerGlobal1

host 209.165.200.225


host 209.165.200.226

nat (inside,outside) source static webServer webServerGlobal1



NAT Advanced Features: ‘pat-pool’ and ‘round-robin’

66

pat-pool allows a pool of addresses to be used as PAT global Ips

round-robin causes ASA to allocate PAT connections in round-robin fashion

object network inside-hosts

subnet 10.0.0.0 255.0.0.0

object network GlobalPATrange

range 209.165.200.225 209.165.200.254

!

nat (inside,outside) source dynamic inside-hosts pat-pool GlobalPATrange round-robin


NAT Advanced Features ‘flat’ and ‘include-reserve’

67

PAT By default ASA allocates global port within a similar range

nat (inside,outside) source dynamic inside-hosts pat-pool GlobalPATrange flat include-reserve

Original Src Port Translated Src Port

1-511 1-511

512-1023 512-1023

1024-65535 1024-65535

Original Src Port Translated Src Port

(flat)

Translated Src Port

(flat, include-reserve)

1-511 1024-65535 1-65535

512-1023 1024-65535 1-65535

1024-65535 1024-65535 1-65535

Using the flat keyword only allocates xlates in fixed range, avoiding lower port values and early exhaustion of lower port ranges


NAT Advanced Features: ‘extended’

Using extended causes the ASA to track a PAT xlate based on destination IP address and port in addition to source IP and port

Allows for > 65536 PAT xlates for a single global PAT IP

68

nat (inside,outside) source dynamic inside-hosts pat-pool GlobalPATrange extended

ASA(config)# show xlate local 10.1.2.3

41 in use, 3992 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

e - extended

TCP PAT from inside:10.1.2.3/12345 to outside:209.165.200.225/12345(192.168.1.2) flags rie

idle 0:00:03 timeout 0:00:30

ASA(config)#

Destination IP address of TCP Connection

Global PAT IP and Port


LAB 4

Your training session went well, and you have earned a week of rest back at base Naval Station San Diego. After your R&R is over, the commanders assigns you to help secure the new network design for a secret mini-Sub prototype, the USS Chambers.

The USS Chambers is only allocated 1 IP address on the outside network, which is assigned to the ASA’s outside interface. You must allow outside hosts to connect to the dive and control servers via this IP address, as well as PAT hosts on the inside to this interface IP

– PAT the dive control server at 10.3.XX.50 to the outside interface on TCP port 8080

– PAT the ballistic missile control server at 10.3.XX.60 to the outside interface on TCP port 8081

– Allow any user on the Inside 10.3.XX.0/24 network to access the Internet by PATing them to the outside interface.


NAT Advanced Features: ‘unidirectional’

Translate the traffic depending on the direction the conn was initiated

71

webServer

webServerGlobal1

webServerGlobal2

object network webServer

host 192.168.1.99


host 209.165.200.225


host 209.165.200.226

!

nat (inside,outside) source static webServer webServerGlobal1 unidirectional



NAT Advanced Features

Disables proxy-arp for the configured global IP addresses

Useful if the NAT statements utilize very broad global networks

NAT Config Keyword: ‘no-proxy-arp’

72

RFC1918 Addresses

object-group network RFC1918

network-object object obj-10.0.0.0



!

nat (any,any) source static RFC1918 RFC1918 destination static RFC1918 RFC1918 no-proxy-arp

RFC1918 Addresses


NAT Advanced Features

NAT commands override the routing table by default

Use ‘route-lookup’ to only apply NAT rules that match the routing table entries

73

NAT Config Keyword: ‘route-lookup’

nat (inside,outside) source static 172.16.0.0-net 172.16.0.0-net

nat (dmz,outside) source static 172.16.12.0-net 172.16.12.0-net

DM

Z

Inside Outside

172.16.0.0/16

172.16.12.0/24

172.16.12.4

nat (inside,outside) source static 172.16.0.0-net 172.16.0.0-net route-lookup

nat (dmz,outside) source static 172.16.12.0-net 172.16.12.0-net

match

match

Without route-lookup (default):

With route-lookup:

Inbound Packets to 172.16.12.4 Get

Routed to Inside Based on Order of NAT


LAB 5

The prototype mini-sub network is now completed, and the subs have been deployed. As a reword for your hard work, your boss is sending you to attend Cisco Live in San Diego! Before you can leave for the conference however, you must configure one last network for the USS Hammon

A new group of internal VPN networks are being setup for remote access to the sub computers. Integrate the requirements for this network topology, as described below:

– Allow anyone on the Naval Internet to access the Dive Control web server (10.3.XX.50) via the global IP Address 209.165.XX.5. Use Object NAT to complete this task.

– Allow only VPN users (which you are one of) on the 10.0.100.0/24 network to access the internal network (10.3.XX.0/24) via its Real IP.

– Finally, create a pool of 4 IP Addresses (10.2.XX.100 - 10.2.XX.104) to be used as a PAT pool for all outbound Naval Internet access (from either the inside or DMZ networks), and each new connection should use a different IP Address within the pool.

Closing Comments


Final Thoughts

Understand the ASA Upgrade and Conversion Process

Understand the new NAT configurations in 8.3+

Understand the difference between Object and Manual NAT, and when you would choose to use one over the other

Understand how NAT rules are ordered / processed

What We Hope You Learned

Key Concepts

The new NAT config paradigm is flexible and powerful

The use of re-usable configuration objects (containers) helps simplify

NAT configuration

The ASA has great onboard tools to help you troubleshoot any NAT (or

general) configuration problems you might encounter


Online Resources

TAC Security Show Podcast

Online learning modules (VoD Training)

Supportforums.cisco.com

Security RSS Feeds

78


TAC Security Podcast

Great way to obtain valuable troubleshooting insights.

Conversational shows, which focus on providing in-depth information on a given feature.

New episodes posted Monthly

79


Podcast Episodes

80

Ep. # Topic Ep. # Topic

27 IOS Embedded Event Manager (EEM) 13 HTTP Filtering on the ASA

26 Troubleshooting IPSec VPNs 12 Securing Cisco Routers

25 Understanding DMVPN and GETVPN 11 ASA Anyconnect VPN

24 The Cisco Identity Services Engine 10 ASA Version 8.3 Overview

23 The Cisco ASA Services Module 9 Multiple Context Mode on the ASA and FWSM

Platforms

22 How Cisco uses the Web Security Appliance to

protect its network 8 ASA Advanced Application Protocol Inspection

21 Cisco Live! Las Vegas 2011 7 Monitoring Firewall Performance

20 This Week In TAC! 6 Tips for Taking the CCIE Security Exam

19 Troubleshooting the NAC Appliance 5 Troubleshooting Firewall Failover, Part 2

18 Useful ASA and IPS Commands and Features You

Might Not Know About 4

Troubleshooting Firewall Failover Part 1; Guest Omar

Santos from PSIRT

17 Answering Questions From The Cisco Support

Community 3 Transparent Firewall Mode; Lifecycle of a TAC Case

16 Mitigating a SQL attack with ASA, IPS and IOS

Firewall 2 New Features Introduced with ASA Version 8.2

15 Using Certificates on the ASA and IOS platforms 1 Using the ASA Packet Capture Utility for

Troubleshooting

14 TCP connections through the ASA and FWSM







































Online Learning Modules – VoD Training

Great way to learn about new features in the ASA

From www.cisco.com select: Products and Services

Security Secure Edge and Brach (expand) Cisco ASA 5500 Series Adaptive Security Appliances

Training resources

Online learning modules

OR Search cisco.com for ASA Online Learning Modules

Direct link

– http://www.cisco.com/en/US/partner/products/ps6120/tsd_ products_support_online_learning_modules_list.html

81

http://www.cisco.com/

http://www.cisco.com/en/US/partner/products/ps6120/tsd_�products_support_online_learning_modules_list.html




Supportforums.cisco.com

Public wiki – anyone can author articles

Combines supportwiki and Netpro forums

Sections for: ASA, FWSM and PIX

Hundreds of Sample Configs

Troubleshooting Docs

FAQs

82

http://supportforums.cisco.com/

http://supportforums.cisco.com/


Security Hot Issues – RSS Feeds

Subscribe with an RSS reader

Receive weekly updates on the Hot Issues customers are facing

Separate feeds for: ASA, FWSM, ASDM

83






Any Final Questions?

84


Call to Action…

Visit the World of Solutions:-

Cisco Campus

Walk-in Labs

Technical Solutions Clinics

Meet the Engineer

Lunch Time Table Topics, held in the main Catering Hall

Recommended Reading: For reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2014

85

http://www.pearson-books.com/CLMilan2014




Complete your online session evaluation

Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt

Complete Your Online Session Evaluation

86


For your

reference

TCP Connection Termination Reasons — Quick Reference

Reason Description

Conn-Timeout Connection Ended Because It Was Idle Longer Than the Configured Idle Timeout

Deny Terminate Flow Was Terminated by Application Inspection

Failover Primary Closed The Standby Unit in a Failover Pair Deleted a Connection Because of a Message Received from the Active Unit

FIN Timeout Force Termination After Ten Minutes Awaiting the Last ACK or After Half-Closed Timeout

Flow Closed by Inspection Flow Was Terminated by Inspection Feature

Flow Terminated by IPS Flow Was Terminated by IPS

Flow Reset by IPS Flow Was Reset by IPS

Flow Terminated by TCP Intercept

Flow Was Terminated by TCP Intercept

Invalid SYN SYN Packet Not Valid

Idle Timeout Connection Timed Out Because It Was Idle Longer than the Timeout Value

IPS Fail-Close Flow Was Terminated Due to IPS Card Down

SYN Control Back Channel Initiation from Wrong Side


For your

reference

TCP Connection Termination Reasons — Quick Reference (Cont.)

Reason Description

SYN Timeout Force Termination After Two Minutes Awaiting Three-Way Handshake Completion

TCP Bad Retransmission Connection Terminated Because of Bad TCP Retransmission

TCP Fins Normal Close Down Sequence

TCP Invalid SYN Invalid TCP SYN Packet

TCP Reset-I TCP Reset Was Sent From the Inside Host

TCP Reset-O TCP Reset Was Sent From the Outside Host

TCP Segment Partial Overlap

Detected a Partially Overlapping Segment

TCP Unexpected Window Size Variation

Connection Terminated Due to a Variation in the TCP Window Size

Tunnel Has Been Torn Down

Flow Terminated Because Tunnel Is Down

Unauth Deny Connection Denied by URL Filtering Server

Unknown Catch-All Error

Xlate Clear User Executed the ‘Clear Xlate’ Command


Anyconnect Access to Your Pod

Launch a web browser to:

https://64.102.242.78:10000

Note the port 10000

It will ask you to authenticate use the info below, X is your pod #: username: podX password: diegoX

Anyconnect will download and install. You will now have access to your ASA and the Web Server

https://64.102.242.78:10000/

asa version 9.1 nat hands-on configuration...

Documents