GlobalConfig.net» SNAF

Destination NAT on Cisco ASA 8.2

Brandon Carroll, CCIE #23837 — Fri, 21 Jan 2011 13:00:01 +0000

This week I had a few students in a neighboring class that are trying to accomplish a destination nat using Cisco ASA 8.x. They were apparently told by Cisco TAC that this was not possible on anything prior to ASA 8.3 code. This isn’t the case. In fact, it’s been possible for some time on the ASA. Now as it sits they have an ASA sitting behind a Juniper Firewall which is currently providing the destination NAT services, but that’s the only reason they have the Juniper there. So, by being able to do the NAT on the ASA the Juniper Firewall can be removed.

So the scenario goes a little something like this. Originally we had two servers with IP addresses 172.18.0.99 and 172.18.0.100 that are hard coded into a few thousand clients. The servers were consolidated into one server and the IP address is now in a different address space. Rather than changing the static assignment on so many clients, can we just configure the ASA so that when they go to the old hard coded addresses they will be destination NAT’d to the new server IP address? The answer is yes and here is how you do it.

First, We can take a look at the old Topology. Here we note the addresses that are hard coded to the clients on the left.

Configuring Dynamic Network Object NAT on ASA 8.3

Brandon Carroll, CCIE #23837 — Tue, 07 Sep 2010 14:52:36 +0000

I’ve been developing content to enhance our Firewall training as of late. In this video I give you a sample of some of the material I am working on. Here I walk you through configuring Dynamic Network Object Based NAT on a Cisco ASA running version 8.3. The NAT configuration is a bit different than past versions so this may give you that kick you need to get going with a new install. If you are upgrading from a previous version of ASA to 8.3 you should really read the release notes prior to upgrading. The NAT order of operations and the processing of packets on an interface has changed.

Thanks for watching and Happy Labbing!

Per-Flow Policing on ASA VPN

Brandon Carroll, CCIE #23837 — Tue, 16 Dec 2008 08:11:07 +0000

Tonight I worked on the ASA Per-flow policing. The configuration is fairly straight forward. After ensuring that the VPN works create a class-map to match the tunnel-group and the destination-address like so:

class-map vpn_data
match flow ip destination-address
match tunnel-group ezvpn

Next create the policy map to police based on the class we just created:

policy-map outside
class vpn_voice
priority
class vpn_data
police output 256000
class class-default
police output 2000000

Finally activate it on the interface:

service-policy outside interface outside

So while that is pretty simple I did come across a gotcha. In the IE lab workbook volume 1 it has you create a class-map for vpn_voice, match dscp=ef and the same tunnel-group. It then wants to apply priority queueing to it. Here is where it could cause some issues. When you apply the policy-map to the interface with the priority command configured for a class it give you a really nice error:

asa1(config-pmap-c)# service-policy outside int outside
ERROR: Class vpn_voice has 'priority' set
without 'priority-queue' in any interface

A quick show service-policy indicates that it was not actually enabled:

asa1(config)# sh service-policy

Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0 Inspect: ftp, packet 0, drop 0, reset-drop 0 Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0 Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0 Inspect: netbios, packet 0, drop 0, reset-drop 0 Inspect: rsh, packet 0, drop 0, reset-drop 0 Inspect: rtsp, packet 0, drop 0, reset-drop 0 Inspect: skinny, packet 0, drop 0, reset-drop 0 Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0 Inspect: sqlnet, packet 0, drop 0, reset-drop 0 Inspect: sunrpc, packet 0, drop 0, reset-drop 0 Inspect: tftp, packet 0, drop 0, reset-drop 0 Inspect: sip, packet 0, drop 0, reset-drop 0 Inspect: xdmcp, packet 0, drop 0, reset-drop 0

So watch out!

TIP:

if you are telling a class that it should priority queue packets
 you need to enable the priority queue on that interface:

asa1(config-if)# priority-queue outside
asa1(config-priority-queue)#

SNAF: Recommended Reading

Brandon Carroll, CCIE #23837 — Thu, 20 Nov 2008 18:07:31 +0000

For those of you preparing for the SNAF exam, I would recommend the book “IPSec.” It’s an easy read, vendor neutral, and gives a great look into the workings of IPSec.

Enjoy!

CCIE Voice Reading: Deploying Cisco Unified Presence

Static Route Tracking with ASA 8.x

Brandon Carroll, CCIE #23837 — Fri, 24 Oct 2008 03:44:05 +0000

For a few days now I have been playing with static route tracking in my SNAF class. The class is running ASA 8.0 (2). After reading every document I can find and testing in my lab I have concluded that version 8.0 (2) does not work. Now I can’t find a bug report on it, but i tested it over and over again.

Finally I decided to upgrade to code 8.0 (3). Success! Below is what I did to test and the results:

To begin, here is the topology:

Uploaded with plasq‘s Skitch!

First I set up the interfaces:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.6.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.6.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif backup
security-level 0
ip address 192.168.5.25 255.255.255.0
!

No Related Posts

GlobalConfig.net» SNAF

Destination NAT on Cisco ASA 8.2

Related Posts:

Configuring Dynamic Network Object NAT on ASA 8.3

Related Posts:

Per-Flow Policing on ASA VPN

Related Posts:

SNAF: Recommended Reading

Related Posts:

Static Route Tracking with ASA 8.x

Related Posts: