Skills Tested
The application of NAT policies on the Cisco ASA using the Network Object NAT and Twice NAT methods
Configuring NTP service using MD5 for authentication of the NTP peers
Understand the order of operations on the Cisco ASA as it pertains to packet handling Solution and Verification
The tasks in this exercise build upon the initial configuration of ASA1 in Exercise 1.1. In software releases version 8.3 and later, the configuration of NAT changed significantly. If you choose to use a software version pre-8.3, the solutions presented here will not apply.
NAT rules can be configured to allow either unidirectional or bidirectional communication.
Bidirectional connections are static, and can be initiated from either the nontranslated/local side or the translated/global side of the ASA; they also generally involve one-to-one mappings. If a
unidirectional or “dynamic” NAT rule is configured, connections cannot be initiated on the translated side of the ASA. Dynamic translations are applicable if the number of addresses to map is greater than the number of addresses available in the translation pool.
For all verification syntax that follows:
Required output appears in red Required tasks appear in indigo Variable syntax appears in green Task 1: Network Object NAT
Verify the NAT rule. Network Object NAT rules are added to section 2 of the NAT policy rule list.
The translation requirement was to support bidirectional communication, so verify whether the NAT rule is static.
Click here to view code image
ASA1/c2# changeto context c2 ASA1/c2# show nat detail
Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static r5 10.50.80.50 translate_hits = 2, untranslate_hits = 4
Source - Origin: 10.50.90.5/32, Translated: 10.50.80.50/32
Verify the complete packet path through ASA2 using the packet-tracer. Look for the NAT phase of processing in the command output.
Click here to view code image
ASA1/c2# packet-tracer input dmz icmp 10.50.90.5 0 8 10.50.30.3 Phase: 5
Type: NAT Subtype:
Result: ALLOW Config:
object network r5
nat (dmz,outside) static 10.50.80.50 Additional Information:
Static translate 10.50.90.5/0 to 10.50.80.50/0 Task 2: Twice NAT
Twice NAT rules are added to section 1 of the NAT policy rule list:
Click here to view code image
ASA1/c2# changeto context c2 ASA1/c2# show nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic 100net pool50 destination static remote50net remote50net
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.50.100.0/24, Translated: 10.50.80.100-10.50.80.150 Destination - Origin: 10.50.50.0/24, Translated: 10.50.50.0/24
Verify the complete packet path through ASA2 using the packet-tracer. Look for the NAT phase of processing in the command output.
Click here to view code image
ASA1/c2# packet-tracer input inside icmp 10.50.100.1 0 8 10.50.50.5
nat (inside,outside) source dynamic 100net pool50 destination static remote50net remote50net
Additional Information:
Dynamic translate 10.50.100.1/0 to 10.50.80.113/0
ASA1/c2# packet-tracer input inside icmp 10.50.100.1 0 8 10.50.80.6
nat (inside,outside) source static 100net 100net Additional Information:
Static translate 10.50.100.1/0 to 10.50.100.1/0 Task 3: NTP with Authentication
NTP is enabled in the system execution space when the ASA is configured in multicontext mode.
Verify whether ASA1 is in sync with the NTP master server that was partially configured on SW1 (192.168.1.5). Also verify whether NTP exchanges are authenticated.
Click here to view code image
ASA1# changeto system
ASA1# show ntp associations detail
192.168.1.5 configured, authenticated, our_master, sane, valid, stratum 2 ASA1# show ntp status
Clock is synchronized, stratum 3, reference is 192.168.1.5
This task also required some troubleshooting to complete and correct issues with the NTP configuration on SW1.
Add the following commands to SW1:
ntp authenticate ntp trusted-key 1
Correct the peer address used in the NTP access-list:
Click here to view code image
access-list 1 permit 192.168.1.20 Task 4: Tunneling ipv6ip
Verify whether the correct access list policy is defined and applied to the outside interface:
Click here to view code image
ASA1/c2# changeto context c2 ASA1/c2# show access-list
access-list 101 line 2 extended permit 41 host 10.50.80.6 host 10.50.90.5 Configuration
ASA1 System
Click here to view code image
ntp authentication-key 1 md5 ***** (cisco is not displayed) ntp authenticate
ntp trusted-key 1
ntp server 192.168.1.5 key 1 source mgmt ASA1/c2
Click here to view code image
object network r5 host 10.50.90.5 object network r5
nat (dmz,outside) static 10.50.80.50 object network 100net
subnet 10.50.100.0 255.255.255.0 object network remote50net
subnet 10.50.50.0 255.255.255.0 object network pool50
range 10.50.80.100 10.50.80.150
nat (inside,outside) source dynamic 100net pool50 destination static remote50net remote50net
nat (inside,outside) source static 100net 100net
access-list 101 extended permit icmp any any
access-list 101 extended permit 41 host 10.50.80.6 host 10.50.90.5 access-group 101 in interface outside
SW1
Click here to view code image
ntp authentication-key 1 md5 cisco ntp authenticate
ntp trusted-key 1 ntp source Vlan102 ntp access-group peer 1 ntp master 2
access-list 1 permit 192.168.1.20 Tech Notes
Configuring NAT in Cisco ASA software releases post version 8.3 is reliant on understanding the concept of objects and object-groups. These structures can also be used in place of access lists for identifying interesting traffic in terms of networks, protocols, and services (ports).
Additionally, object types may be combined and nested to provide more flexibility. In the following example, the pool of translated addresses available includes a range of contiguous addresses defined in the network object pool50 plus the single address 10.50.80.251:
Click here to view code image
object network pool50
range 10.50.80.100 10.50.80.150 object-group network dest-remotenet50 network-object object pool50
network-object host 10.50.80.251
The packet-tracer command has been used to verify the NAT configurations in this question. This command can also be used to verify the configuration of other ASA features, such as access lists and routing. For example, before full connectivity in a network is available, a ping can be tested using packet-tracer with icmp options:
Click here to view code image
ASA1/c2# packet-tracer input outside icmp 10.50.50.5 0 8 10.50.100.10
Phase: 1
Type: ACCESS-LIST Subtype:
Result: ALLOW
nat (inside,outside) source static 100net 100net Additional Information:
NAT divert to egress interface inside
Untranslate 10.50.100.10/0 to 10.50.100.10/0
access-group 101 in interface outside
access-list 101 extended permit icmp any any Additional Information:
nat (inside,outside) source static 100net 100net
Additional Information:
Static translate 10.50.50.5/0 to 10.50.50.5/0 Phase: 7
Type: NAT
Subtype: rpf-check Result: ALLOW Config:
nat (inside,outside) source dynamic 100net pool50 destination static remote50net remote50net
New flow created with id 754623, packet dispatched to next module Result:
The preceding output from the packet-tracer command illustrates how the order of operations on the Cisco ASA is important for understanding the relationship between features such as access lists and NAT. In this exercise, the access list for the ipv6ip tunnel specified the untranslated or actual
destination address of 10.50.90.5 as the tunnel endpoint on R5. The untranslated address is used to create the ASA connection.
Click here to view code image
ASA1/c2(config)# show conn detail 41 outside:10.50.80.6/0 dmz:10.50.90.5/0,
idle 3s, uptime 7D11h, timeout 2m0s, bytes 11154548
However, as you will see in Exercise 5.1, the tunnel destination from the perspective of R6 will be the translated address of 10.50.80.50.
ASA NAT rule processing follows a specific order of precedence, which checks for a more explicit rule to match first. In post 8.3 software, there is an additional order of precedence, as rule types are grouped into sections. The show nat detail command outlines the sections created in this question:
Click here to view code image
ASA1/c2(config)# show nat detail Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic 100net pool50 destination static remote50net remote50net
translate_hits = 1, untranslate_hits = 1
Source - Origin: 10.50.100.0/24, Translated: 10.50.80.100-10.50.80.150 Destination - Origin: 10.50.50.0/24, Translated: 10.50.50.0/24
2 (inside) to (outside) source static 100net 100net translate_hits = 11941, untranslate_hits = 1250
Source - Origin: 10.50.100.0/24, Translated: 10.50.100.0/24 Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static r5 10.50.80.50 translate_hits = 32, untranslate_hits = 1290
Source - Origin: 10.50.90.5/32, Translated: 10.50.80.50/32
Section 1 comprises twice NAT rules (plus dynamically added invisible virtual private network [VPN] rules), whereas section 2 is built using network object NAT rules. In both sections, static rules take precedence over dynamic rules. It is important to be aware of overlapping rules across sections, which can yield unexpected results.
There is also a section 3, which is available for twice NAT rules that need to be processed after those in sections 1 and 2.
It is important that the administrator understand how to migrate NAT rules from a software release pre 8.3 to a post 8.3 release. The following are some examples that may be used for reference.
Old Configuration
Click here to view code image
static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns Migrated Configuration
Click here to view code image
object network obj-192.168.100.10 host 192.168.100.10
nat (inside,outside) static 172.20.1.10 dns Old Configuration
Click here to view code image
global (outside) 1 10.76.6.111
global (outside) 1 10.76.6.109-10.76.6.110 New Network Objects and Groups
Click here to view code image
object network obj-10.76.6.111 host 10.76.6.111
object network obj-10.76.6.109-10.76.6.110 range 10.76.6.109-10.76.6.110
object-group og-global-outside_1 network-object obj-10.76.6.111
network-object obj-10.76.6.109-10.76.6.110
Table 1a-2 summarizes the various NAT types supported on the Cisco ASA. Note there are subtle differences in implementing these pre- and post-version 8.3.
Table 1a-2 Cisco Supported NAT Types Summary