As my first ever blog post I decided to post the last problem I solved in the class. I had been talking about twice nat for ever and I had never created an example that my students could base on their knowledge and problem solving. So here it is.
I used Unetlab emulation software to create this lab which is composed of 2 ASA 5520 running 8.42 image, 1 Cisco router to simulate the INTERNET and 2 Windows host the simulate the clients.
The Internet router is connected to the physical interface of the server, this providing real access to the Internet.
hostname INTERNET ! interface Ethernet0/0 description Connects to ASA-1 ip address 172.16.0.2 255.255.255.252 ip nat inside no shutdown ! interface Ethernet0/1 description Connects to ASA-2 ip address 172.16.1.2 255.255.255.252 ip nat inside no shutdown ! interface Ethernet0/2 descruption Connects to Physical Interface (Internet) ip address dhcp ip nat outside no shutdown ! ip nat inside source list NAT interface Ethernet0/2 overload ! ip access-list standard NAT permit 172.16.0.0 0.0.255.255
Initial configuration on both ASAs:
hostname ASA-1 ! !INTERFACE CONFIGUATION interface Ethernet0 description LAN CONNECTION nameif inside security-level 100 ip address 192.168.0.254 255.255.255.0 no shutdown ! interface Ethernet1 description INTERNET CONNECTION nameif outside security-level 0 ip address 172.16.0.1 255.255.255.252 ! ON THE ASA-2 change the previous line with the next one: ! ip address 172.16.1.1 255.255.255.252 no shutdown ! ! CREATE AN OBJECTO TO IDENTIFY THE INSIDE NETWORK object network inside-subnet subnet 192.168.0.0 255.255.255.0 ! ! CONFIGURE PAT FROM THE INSIDE NETWORK TO THE OUTSIDE INTERFACE object network inside-subnet nat (inside,outside) dynamic interface ! ! CONFIGURE A DEFAULT ROUTE route outside 0.0.0.0 0.0.0.0 172.16.0.2 1 ! ON THE ASA-2 change the previous line with the next one: ! route outside 0.0.0.0 0.0.0.0 172.16.1.2 ! ! CONFIGURE THE DHCP SERVER TO THE INSIDE NETWORK dhcpd dns 18.104.22.168 dhcpd domain local.com ! dhcpd address 192.168.0.10-192.168.0.100 inside dhcpd enable inside ! ! ADD ICMP THE GLOBAL INSPECTION POLICY policy-map global_policy class inspection_default inspect icmp
At this point the hosts should have ip configuration received by the ASA dhcp an should be able to reach the INTERNET.
The next step to achieve the proposed is to configure the IPSec tunnel between the ASAs using IKEv2. For that we will need the following components:
- IKE Policy: (The same in ASA-1 and ASA-2)
crypto ikev2 policy 10 encryption aes integrity sha group 5 prf sha lifetime seconds 86400 crypto ikev2 enable outside
We could configure more policies using a diferent combination of encryption, hasing and diffie-hellman algorithms, but for simplification only one is needed.
- Tunnel Authentication: (Pre-share authentication using same key in both sites)
!ASA-1 !172.16.1.1 is the ASA-2 outside interface address tunnel-group 172.16.1.1 type ipsec-l2l tunnel-group 172.16.1.1 ipsec-attributes ikev2 remote-authentication pre-shared-key bsnetworking ikev2 local-authentication pre-shared-key bsnetworking!ASA-2 !172.16.0.1 is the ASA-1 outside interface address tunnel-group 172.16.0.1 type ipsec-l2l tunnel-group 172.16.0.1 ipsec-attributes ikev2 remote-authentication pre-shared-key bsnetworking ikev2 local-authentication pre-shared-key bsnetworking
- IPSec Proposal: (The same in ASA-1 and ASA-2)
crypto ipsec ikev2 ipsec-proposal TSET protocol esp encryption aes-256 aes protocol esp integrity sha-1
- Crypto ACL to identify traffic destined to the tunnel:
! ASA-1 access-list VPN extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0! ASA-2 access-list VPN extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
- Crypto Map combining all previous information into the outside interface:
! ASA-1 crypto map CMAP 10 match address VPN crypto map CMAP 10 set pfs group5 crypto map CMAP 10 set peer 172.16.1.1 crypto map CMAP 10 set ikev2 ipsec-proposal TSET crypto map CMAP interface outside!ASA-2 crypto map CMAP 10 match address VPN crypto map CMAP 10 set pfs group5 crypto map CMAP 10 set peer 172.16.0.1 crypto map CMAP 10 set ikev2 ipsec-proposal TSET crypto map CMAP interface outside
- To help understanding NAT we created some network object to be used later on: (On both ASAs)
! Inside network on both ASAs object network 192.168.0.0_24 subnet 192.168.0.0 255.255.255.0 ! Natted Local Lan on ASA-1 object network 10.0.0.0_24 subnet 10.0.0.0 255.255.255.0 ! Natted Local Lan on ASA-2 object network 10.0.1.0_24 subnet 10.0.1.0 255.255.255.0
- Finally the NAT rules:
! ASA-1 nat (inside,outside) source static 192.168.0.0_24 10.0.0.0_24 destination static 10.0.1.0_24 10.0.1.0_24!ASA-2 nat (inside,outside) source static 192.168.0.0_24 10.0.1.0_24 destination static 10.0.0.0_24 10.0.0.0_24
Traffic going from Win4 to Win5 has the source address of 192.168.0.10 and destination address of 10.0.1.10. When it crosses the ASA from the inside interface to the outside the source is translated from the 192.168.0.10 to the address 10.0.0.10 and the destination stays the same, since the rule translates from the 10.0.1.0 network to it self.
So let’s test it:
ASA-1(config)# packet-tracer input inside tcp 192.168.0.10 www 10.0.1.10 www Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 2 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static 192.168.0.0_24 10.0.0.0_24 destination static 10.0.1.0_24 10.0.1.0_24 Additional Information: Static translate 192.168.0.10/80 to 10.0.0.10/80 Phase: 4 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Phase: 5 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 7 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 534, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
I couldn’t end my first post without thanking Andrea Dainese and all the team behind UnetLab. You guys rock and you have made our lifes much easier.
For the rest of you, stay good and see you on the next post.
Check this post to understand the packet flow process through the ASA.