NAT
Showing posts with label NAT. Show all posts
Showing posts with label NAT. Show all posts

CCIE Security Lab: OSPF security (and a lot of NAT)

04:55:00 1 Comment
I am a little way away from setting up DMVPN, the IP addressing is all set, but I still need to configure OSPF across the multi-context ASA, the ISP routers and the IOS routers at each side. We also need to permit some traffic through the transparent firewall. Most of the work in this post is concerned with OSPF, but we will also cover some more NAT commands as well.

We are working on this part of the topology now:


Let's start by setting up some default routes on the contexts:
FO-ASA# changeto con C1
FO-ASA/C1# conf t
FO-ASA/C1(config)# route outside 0 0 10.1.16.1
FO-ASA/C1(config)# 
FO-ASA/C1(config)# changeto con C2
FO-ASA/C2(config)# 
FO-ASA/C2(config)# route outside 0 0 10.1.26.1
FO-ASA/C2(config)# 
FO-ASA/C2(config)#
We can add a bit of routing:
FO-ASA/C1(config)# router ospf 16 
FO-ASA/C1(config-router)# router-id 10.1.16.254
FO-ASA/C1(config-router)# network 10.1.4.0 255.255.255.0 area 0
FO-ASA/C1(config-router)# exit

DMVPN-Hub1(config)#router ospf 16
DMVPN-Hub1(config-router)#router-id 4.4.4.4
DMVPN-Hub1(config-router)#network 10.1.4.0 255.255.255.0 area 0
DMVPN-Hub1(config-router)#network 4.4.4.4 255.255.255.255 area 0
DMVPN-Hub1(config-router)#

FO-ASA/C1(config)# changeto con C2
FO-ASA/C2(config)# router ospf 26
FO-ASA/C2(config-router)# router-id 10.1.26.254
FO-ASA/C2(config-router)# network 10.1.5.0 255.255.255.0 area 0
FO-ASA/C2(config-router)# 

DMVPN-Hub2(config)#router ospf 26
DMVPN-Hub2(config-router)#router-id 10.1.5.3
DMVPN-Hub2(config-router)#network 10.1.5.0 255.255.255.0 area 0
DMVPN-Hub2(config-router)#network 3.3.3.3 255.255.255.255 area 0
DMVPN-Hub2(config-router)#

DMVPN-Hub1#sh ip ospf neigh

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.1.16.254       1   FULL/DR         00:00:38    10.1.4.254      GigabitEthernet0/0
DMVPN-Hub1#

DMVPN-Hub2#sh ip ospf neigh

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/DR         00:00:39    10.1.3.2        GigabitEthernet0/3
10.1.26.254       1   FULL/BDR        00:00:15    10.1.5.254      GigabitEthernet0/0
DMVPN-Hub2#
Let's add the ISP-1 router to OSPF:
ISP-1(config)#router ospf 1
ISP-1(config-router)#network 10.1.16.0 255.255.255.0 area 0
ISP-1(config-router)#network 10.1.26.0 255.255.255.0 area 0
ISP-1(config-router)#router-id 10.1.16.1
ISP-1(config-router)#
ISP-1(config-router)#do sh ip ospf neigh
ISP-1(config-router)#

FO-ASA/C1(config)# router ospf 16
FO-ASA/C1(config-router)# network 10.1.16.0 255.255.255.0 area 0

FO-ASA/C2(config)# router ospf 26
FO-ASA/C2(config-router)# network 10.1.26.0 255.255.255.0 area 0
FO-ASA/C2(config-router)# 

ISP-1(config-router)#do sh ip route ospf | b Gate
Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O E2     1.1.1.1 [110/20] via 10.1.26.254, 00:00:28, GigabitEthernet0/0.2
      3.0.0.0/32 is subnetted, 1 subnets
O IA     3.3.3.3 [110/12] via 10.1.26.254, 00:00:28, GigabitEthernet0/0.2
      4.0.0.0/32 is subnetted, 1 subnets
O        4.4.4.4 [110/12] via 10.1.16.254, 00:02:02, GigabitEthernet0/0.1
      10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
O        10.1.2.0/24 [110/13] via 10.1.26.254, 00:00:28, GigabitEthernet0/0.2
O        10.1.3.0/24 [110/12] via 10.1.26.254, 00:00:28, GigabitEthernet0/0.2
O        10.1.4.0/24 [110/11] via 10.1.16.254, 00:02:02, GigabitEthernet0/0.1
O        10.1.5.0/24 [110/11] via 10.1.26.254, 00:00:28, GigabitEthernet0/0.2
      80.0.0.0/32 is subnetted, 1 subnets
O        80.2.10.1 [110/13] via 10.1.26.254, 00:00:28, GigabitEthernet0/0.2
ISP-1(config-router)#
Connect ISP-1 to ISP-2:
ISP-1(config-router)#network 10.1.7.0 255.255.255.0 area 0
ISP-1(config-router)#

ISP-2(config)#router ospf 1
ISP-2(config-router)#router-id 10.1.7.2
ISP-2(config-router)#network 10.1.7.0 255.255.255.0 area 0
ISP-2(config-router)#
ISP-1 won't peer with ISP-2 at the moment, as we have a firewall in the way. To get the two to form an OSPF adjacency, we need to permit the OSPF traffic from ISP-2 in, and from ISP-1 out. OSPF uses two multicast addresses; 224.0.0.5 (All routers), 224.0.0.6 (Designated Routers), and we also allow the protocol between the joining hosts, and we also allow ping between the two ISP routers:
Transparent(config)# access-list Out->In extended permit ospf host 10.1.7.2 host 224.0.0.5
Transparent(config)# access-list Out->In extended permit ospf host 10.1.7.2 host 224.0.0.6
Transparent(config)# access-list Out->In extended permit ospf host 10.1.7.2 host 10.1.7.1 
Transparent(config)# access-list Out->In extended permit icmp host 10.1.7.2 host 10.1.7.1 
Transparent(config)# 
Transparent(config)# access-list In->Out extended permit ospf host 10.1.7.1 host 224.0.0.5
Transparent(config)# access-list In->Out extended permit ospf host 10.1.7.1 host 224.0.0.6
Transparent(config)# access-list In->Out extended permit ospf host 10.1.7.1 host 10.1.7.2
Transparent(config)# access-list In->Out extended permit icmp host 10.1.7.1 host 10.1.7.2 
Transparent(config)# 
Transparent(config)# access-group Out->In in interface Outside
Transparent(config)# access-group In->Out in interface Inside

ISP-1#
*Jun 30: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.7.2 on GigabitEthernet0/1 from LOADING to FULL, Loading Done
ISP-1#

ISP-2#
*Jun 30: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.16.1 on GigabitEthernet0/1 from LOADING to FULL, Loading Done
ISP-2#
ISP-2#ping 10.1.7.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.7.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/10 ms
ISP-2#
This is a bit restrictive, however. We should probably allow more through, but I am sure that the lab exam won't allow access lists permitting IP "any any". We will come back this later, for the moment let's finish off the OSPF configuration:
ISP-2(config)#router ospf 1
ISP-2(config-router)#network 10.1.8.0 255.255.255.0 area 0
ISP-2(config-router)#network 10.1.9.0 255.255.255.0 area 0
ISP-2(config-router)#

DMVPN-Client(config)#router ospf 1
DMVPN-Client(config-router)#router-id 5.5.5.5
DMVPN-Client(config-router)#network 10.1.8.0 255.255.255.0 area 0
DMVPN-Client(config-router)#network 5.5.5.5 255.255.255.255 area 0
*Jun 30: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.7.2 on GigabitEthernet0/2 from LOADING to FULL, Loading Done
DMVPN-Client(config-router)#

EzVPN-Server(config)#router ospf 1
EzVPN-Server(config-router)#router-id 6.6.6.6
EzVPN-Server(config-router)#network 10.1.9.0 255.255.255.0 area 0
EzVPN-Server(config-router)#network 6.6.6.6 255.255.255.255 area 0
*Jun 30: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.7.2 on GigabitEthernet0/3 from LOADING to FULL, Loading Done
EzVPN-Server(config-router)#
Now have end-to-end visibility:
RTD-ASA# sh route ospf | b Gate
Gateway of last resort is not set

O        4.4.4.4 255.255.255.255 [110/34] via 10.1.2.2, 00:30:33, Outside
O        5.5.5.5 255.255.255.255 [110/25] via 10.1.2.2, 00:02:05, Outside
O        6.6.6.6 255.255.255.255 [110/25] via 10.1.2.2, 00:00:49, Outside
O        10.1.3.0 255.255.255.0 [110/11] via 10.1.2.2, 06:16:09, Outside
O        10.1.4.0 255.255.255.0 [110/33] via 10.1.2.2, 00:30:33, Outside
O        10.1.5.0 255.255.255.0 [110/12] via 10.1.2.2, 06:15:15, Outside
O        10.1.7.0 255.255.255.0 [110/23] via 10.1.2.2, 00:26:58, Outside
O        10.1.8.0 255.255.255.0 [110/24] via 10.1.2.2, 00:03:22, Outside
O        10.1.9.0 255.255.255.0 [110/24] via 10.1.2.2, 00:03:12, Outside
O        10.1.16.0 255.255.255.0 [110/23] via 10.1.2.2, 00:30:33, Outside
O        10.1.26.0 255.255.255.0 [110/22] via 10.1.2.2, 00:30:43, Outside
O        80.2.10.1 255.255.255.255 [110/11] via 10.1.2.2, 06:16:09, Outside

RTD-ASA#
We do not have reachability, though, because the traffic is not allowed through the transparent firewall or the Multi-context firewalls.

How do we fix this then? Should we permit everything through the firewalls or use NAT? If we NAT the networks behind the multi-context firewalls, then we lose the ability to have incoming traffic, well, if we overload, or PAT we do. Let's look at it another way; what do we need to achieve?

Ideally, all of the loopbacks should have connectivity, so we can exempt these like we did when setting up the IPSec between RTD-ASA and DMVPN-Hub2. This is important as the DMVPN clients will be peering to these addresses, but we could make it a bit more interesting by NAT'ing these address to external addresses and achieve the same result that way.

OK, so here's the plan:

  • 1.1.1.1/32 will exempt from NAT
  • 3.3.3.3/32 and 4.4.4.4/32 will be NAT'd on a one-to-one basis, to 10.1.26.200 and 10.1.16.200 respectively.
  • 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24, 10.1.5.0/24 will be PAT'd to the 10.1.26.254 address
  • 10.1.4.0/24 will be PAT'd to the 10.1.16.254 address

Not a bad plan. But there is still an issue. Because everything is in area 0 the routes that will be hidden behind the NATs will be visible, so they need to be advertised, but not passed beyond the border firewall. Do we create more areas, or deny the prefixes from being advertised? Having one area keeps things nice and simple, but the CCIE is not a simple exam, so let's try and think like a proctor (or whoever designs the labs), and go for what I think is the harder choice, make more areas (well, one more area) and prevent some of the prefixes being advertised. The easy option would be to run multiple protocols, but I want to reserve EIGRP for use within the VPNs, and will also (if ISP-1 to the DPMVPN-Client and EzVPN-Server are in area 1) need to use a different protocol down the topology (EzVPN-Server to ZBF) to avoid having a discontiguous area 0.

So, now we have a bit of patching to do; first by creating the NATs, then by switching the areas, taking care of the advertisements of the hidden prefixes, and some hardening, because let's not forget that this is a security exam, so OSPF should be secured and authenticated. 

But let's save all this for another day, as it's a bit late, I am two whiskeys in, and need a break.

The next day...

It's bugging me that the FO-ASAs outside interface (eth0) points to the Transparent ASA's Inside interface, really the interfaces on the transparent ASA should be swapped over. OK, strictly speaking, it doesn't matter one iota, but it's bugging me, so let's take care of that first before moving on.
Transparent(config)# int gi 0/1 
Transparent(config-if)# no nameif Outside
Transparent(config-if)# int gi0/0
Transparent(config-if)# nameif Outside
Transparent(config-if)# int gi0/1
Transparent(config-if)# nameif Inside
INFO: Security level for "Inside" set to 100 by default.
Transparent(config-if)# sh run int gi0/0
!
interface GigabitEthernet0/0
 nameif Outside
 bridge-group 1
 security-level 100
Transparent(config-if)# sh run int gi0/1
!
interface GigabitEthernet0/1
 nameif Inside
 bridge-group 1
 security-level 100
Transparent(config-if)# int gi0/0
Transparent(config-if)# security-level 0
Transparent(config-if)# 


ISP-2#ping 10.1.7.1 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.7.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
ISP-2#
*Jul  1: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.16.1 on GigabitEthernet0/1 from LOADING to FULL, Loading Done
ISP-2#ping 10.1.7.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.7.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/7 ms
ISP-2#
That's a bit tidier now. However, OSPF is having issues, to we need to amend the access-lists created earlier (and invert them):
Transparent# sh run | i access-list
access-list Out->In extended permit ospf host 10.1.7.2 host 224.0.0.5 
access-list Out->In extended permit ospf host 10.1.7.2 host 224.0.0.6 
access-list Out->In extended permit icmp host 10.1.7.2 host 10.1.7.1 
access-list Out->In extended permit ospf host 10.1.7.2 host 10.1.7.1 
access-list In->Out extended permit ospf host 10.1.7.1 host 224.0.0.5 
access-list In->Out extended permit ospf host 10.1.7.1 host 224.0.0.6 
access-list In->Out extended permit icmp host 10.1.7.1 host 10.1.7.2 
access-list In->Out extended permit ospf host 10.1.7.1 host 10.1.7.2 
threat-detection statistics access-list
Transparent# 
Transparent# 
Transparent# conf t
Transparent(config)# no access-list Out->In extended permit ospf host 10.1.7.2 host 224.0.0.5
Transparent(config)# no access-list Out->In extended permit ospf host 10.1.7.2 host 224.0.0.6
Transparent(config)# no access-list Out->In extended permit icmp host 10.1.7.2 host 10.1.7.1
Transparent(config)# no access-list Out->In extended permit ospf host 10.1.7.2 host 10.1.7.1 
Transparent(config)# access-list Out->In extended permit ospf host 10.1.7.1 host 224.0.0.5
Transparent(config)# access-list Out->In extended permit ospf host 10.1.7.1 host 224.0.0.6
Transparent(config)# access-list Out->In extended permit icmp host 10.1.7.1 host 10.1.7.2
Transparent(config)# access-list Out->In extended permit ospf host 10.1.7.1 host 10.1.7.2           
Transparent(config)# 
Transparent(config)# no access-list In->Out extended permit ospf host 10.1.7.1 host 224.0.0.5                                                                     
Transparent(config)# no access-list In->Out extended permit ospf host 10.1.7.1 host 224.0.0.6                                                                     
Transparent(config)# no access-list In->Out extended permit icmp host 10.1.7.1 host 10.1.7.2
Transparent(config)# no access-list In->Out extended permit ospf host 10.1.7.1 host 10.1.7.2
Transparent(config)# access-list In->Out extended permit ospf host 10.1.7.2 host 224.0.0.5
Transparent(config)# access-list In->Out extended permit ospf host 10.1.7.2 host 224.0.0.6
Transparent(config)# access-list In->Out extended permit ospf host 10.1.7.2 host 10.1.7.1
Transparent(config)# access-list In->Out extended permit icmp host 10.1.7.2 host 10.1.7.1
Transparent(config)#
Transparent(config)# access-group In->Out in interface Inside
Transparent(config)# access-group Out->In in interface Outside
Transparent(config)#
OSPF is stable again, so let's start with the NAT translations. The first of which is to exempt 1.1.1.1/32 from NAT, but we need to start with the RTD-ASA firewall, I have added an access-list to permit pings to and from 1.1.1.1:
RTD-ASA# sh run | i access-
access-list IPSec-VPN-Traffic extended permit ip host 1.1.1.1 host 3.3.3.3 
access-list NONAT extended permit ip object No-Nat-Networks object No-Nat-Destination 
access-list Out->In extended permit icmp host 1.1.1.1 any 
access-list Out->In extended permit icmp any host 1.1.1.1 
access-group Out->In in interface Inside
access-group Out->In in interface Outside
threat-detection statistics access-list
dynamic-access-policy-record DfltAccessPolicy
RTD-ASA# 

FO-ASA/C2# ping 1.1.1.1                                          
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
FO-ASA/C2# 

We create two network objects and use the "range" options, and one for the 1.1.1.1 network:

FO-ASA/C2(config)# object network DontNat1-1-1-1-Main   
FO-ASA/C2(config-network-object)# range 10.1.7.0 10.1.26.254
FO-ASA/C2(config-network-object)# exit
FO-ASA/C2(config)# object network DontNat1-1-1-1-Loops
FO-ASA/C2(config-network-object)# range 5.5.5.5 9.9.9.9
FO-ASA/C2(config-network-object)# exit
FO-ASA/C2(config)# object network 1-1-1-1                                                                                                                               
FO-ASA/C2(config-network-object)# host 1.1.1.1
FO-ASA/C2(config-network-object)# exit

Next we create two NAT rules:

FO-ASA/C2(config)# nat (Inside,Outside) source static 1-1-1-1 1-1-1-1 destination static DontNat1-1-1-1-Main DontNat1-1-1-1-Main no-proxy-arp route-lookup                  
FO-ASA/C2(config)# nat (Inside,Outside) source static 1-1-1-1 1-1-1-1 destination static DontNat1-1-1-1-Loops DontNat1-1-1-1-Loops no-proxy-arp route-lookup
FO-ASA/C2(config)#

We can use the same access-list as before:

FO-ASA/C2(config)# access-list Out->In extended permit icmp host 1.1.1.1 any 
FO-ASA/C2(config)# access-list Out->In extended permit icmp any host 1.1.1.1 
FO-ASA/C2(config)# 
FO-ASA/C2(config)# access-group Out->In in interface Outside
FO-ASA/C2(config)# access-group Out->In in interface Inside 
FO-ASA/C2(config)# 

Packet-tracer passes, but we need to move over to the Transparent ASA:

Transparent(config)# access-list Out->In extended permit icmp host 1.1.1.1 any 
Transparent(config)# access-list In->Out extended permit icmp any host 1.1.1.1
Transparent(config)# 

EzVPN-Server#ping 1.1.1.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 6.6.6.6 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/19/21 ms
EzVPN-Server#

Local-1#ping 6.6.6.6 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 22/24/30 ms
Local-1#
First requirement done! Next we need to NAT 3.3.3.3/32 and 4.4.4.4/32 will (to 10.1.26.200 and 10.1.16.200 respectively).
FO-ASA/C2(config)# object network 3-3-3-3             
FO-ASA/C2(config-network-object)# host 3.3.3.3
FO-ASA/C2(config-network-object)# nat (inside,outside) static 10.1.26.200
FO-ASA/C2(config-network-object)# access-list Out->In extended permit icmp host 3.3.3.3 any
FO-ASA/C2(config)# access-list Out->In extended permit icmp any host 3.3.3.3
FO-ASA/C2(config)#

Packet-tracer gives a clean report, but the pings fail:

DMVPN-Hub2#ping 6.6.6.6 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3 
.....
Success rate is 0 percent (0/5)
DMVPN-Hub2#

Let's add the rules to the transparent FW:

Transparent(config)#          
Transparent(config)# access-list Out->In extended permit icmp host 10.1.26.200 any       
Transparent(config)# access-list In->Out extended permit icmp any host 10.1.26.200
Transparent(config)# 

DMVPN-Hub2#ping 6.6.6.6 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 13/18/31 ms
DMVPN-Hub2#

We will switch contexts and set up 4.4.4.4.

FO-ASA/C2# copy run start 

Source filename [running-config]? 
Cryptochecksum: 967e5e08 6159c480 83720b84 caa04442 

2943 bytes copied in 0.240 secs
FO-ASA/C2# 
FO-ASA/C2# changeto con C1
FO-ASA/C1# 
FO-ASA/C1# conf t
FO-ASA/C1(config)# object network 4-4-4-4
FO-ASA/C1(config-network-object)# host 4.4.4.4
FO-ASA/C1(config-network-object)# nat (inside,outside) static 10.1.16.200
FO-ASA/C1(config-network-object)# 
FO-ASA/C1(config-network-object)# access-list Out->In extended permit icmp host 4.4.4.4 any
FO-ASA/C1(config)# access-list Out->In extended permit icmp any host 4.4.4.4                                         
FO-ASA/C1(config)# 
FO-ASA/C1(config)# access-group Out->In in interface Outside
FO-ASA/C1(config)# access-group Out->In in interface Inside 
FO-ASA/C1(config)# 

Transparent(config)# access-list Out->In extended permit icmp host 10.1.16.200 any
Transparent(config)# access-list In->Out extended permit icmp any host 10.1.16.200
Transparent(config)# 

DMVPN-Hub1#sh ip route ospf | b Gate
Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O E2     1.1.1.1 [110/20] via 10.1.4.254, 04:23:28, GigabitEthernet0/0
      3.0.0.0/32 is subnetted, 1 subnets
O IA     3.3.3.3 [110/23] via 10.1.4.254, 04:23:28, GigabitEthernet0/0
      5.0.0.0/32 is subnetted, 1 subnets
O        5.5.5.5 [110/14] via 10.1.4.254, 00:52:13, GigabitEthernet0/0
      6.0.0.0/32 is subnetted, 1 subnets
O        6.6.6.6 [110/14] via 10.1.4.254, 00:52:13, GigabitEthernet0/0
      10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
O        10.1.2.0/24 [110/24] via 10.1.4.254, 04:23:28, GigabitEthernet0/0
O        10.1.3.0/24 [110/23] via 10.1.4.254, 04:23:28, GigabitEthernet0/0
O        10.1.5.0/24 [110/22] via 10.1.4.254, 04:23:28, GigabitEthernet0/0
O        10.1.7.0/24 [110/12] via 10.1.4.254, 04:23:28, GigabitEthernet0/0
O        10.1.8.0/24 [110/13] via 10.1.4.254, 00:52:13, GigabitEthernet0/0
O        10.1.9.0/24 [110/13] via 10.1.4.254, 00:52:13, GigabitEthernet0/0
O        10.1.16.0/24 [110/11] via 10.1.4.254, 04:23:28, GigabitEthernet0/0
O        10.1.26.0/24 [110/12] via 10.1.4.254, 04:23:28, GigabitEthernet0/0
      80.0.0.0/32 is subnetted, 1 subnets
O        80.2.10.1 [110/24] via 10.1.4.254, 04:23:28, GigabitEthernet0/0
DMVPN-Hub1#
DMVPN-Hub1#
DMVPN-Hub1#ping 6.6.6.6 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 15/20/35 ms
DMVPN-Hub1#

EzVPN-Server#ping 10.1.16.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.16.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 15/20/27 ms
EzVPN-Server#ping 10.1.26.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.26.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 11/15/19 ms
EzVPN-Server#

FO-ASA/C1# sh xlate     
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from Inside:4.4.4.4 to outside:10.1.16.200
    flags s idle 0:00:11 timeout 0:00:00
FO-ASA/C1# copy run start

Source filename [running-config]? 
Cryptochecksum: 27fd4949 bbe0dd79 a6dc5fac b7d2d457 

2369 bytes copied in 0.240 secs
FO-ASA/C1#
So far, so good. Next up: 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24, 10.1.5.0/24 will be PAT'd to the 10.1.26.254 address.

Annoyingly I can't really use the range command to cover all of the subnets, as the 10.1.4.0/24 network belongs to a different context, so let's see what we can do instead. Object-groups would be a good thing here (note the change in context):
FO-ASA/C2(config)# object-group network GlobalNats 
FO-ASA/C2(config-network-object-group)# network-object 10.1.1.0 255.255.255.0
FO-ASA/C2(config-network-object-group)# network-object 10.1.2.0 255.255.255.0
FO-ASA/C2(config-network-object-group)# network-object 10.1.3.0 255.255.255.0
FO-ASA/C2(config-network-object-group)# network-object 10.1.5.0 255.255.255.0
FO-ASA/C2(config-network-object-group)# exit
FO-ASA/C2(config)# sh object-g
object-group network GlobalNats
 network-object 10.1.1.0 255.255.255.0
 network-object 10.1.2.0 255.255.255.0
 network-object 10.1.3.0 255.255.255.0
 network-object 10.1.5.0 255.255.255.0
FO-ASA/C2(config)# 
FO-ASA/C2(config)# nat (inside,outside) source dynamic GlobalNats interface                                  
FO-ASA/C2(config)# 

Let's test with Packet tracer (the output has been truncated) after adding the ACL:

FO-ASA/C2(config)# access-list Out->In extended permit icmp object-group GlobalNats any
FO-ASA/C2(config)# access-list Out->In extended permit icmp any object-group GlobalNats
FO-ASA/C2(config)# packet-tracer input inside icmp 10.1.2.254 8 0 6.6.6.6              

Phase: 1
Type: ROUTE-LOOKUP
Result: ALLOW

Phase: 2
Type: ACCESS-LIST
Result: ALLOW
Config:
access-group Out->In in interface inside
access-list Out->In extended permit icmp object-group GlobalNats any 
object-group network GlobalNats
 network-object 10.1.1.0 255.255.255.0
 network-object 10.1.2.0 255.255.255.0
 network-object 10.1.3.0 255.255.255.0
 network-object 10.1.5.0 255.255.255.0
Additional Information:

Phase: 3
Type: NAT
Result: ALLOW
Config:
nat (inside,outside) source dynamic GlobalNats interface
Additional Information:
Dynamic translate 10.1.2.254/0 to 10.1.26.254/29629

FO-ASA/C2(config)# 

Transparent(config)# access-list Out->In extended permit icmp host 10.1.26.254 any
Transparent(config)# access-list In->Out extended permit icmp any host 10.1.26.254
Transparent(config)# 

CA-Flex#ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/30 ms
CA-Flex#
Now for the other context:
FO-ASA/C2# changeto con C1
FO-ASA/C1# 
FO-ASA/C1# conf t
FO-ASA/C1(config)# object network GlobalNats
FO-ASA/C1(config-network-object)# subnet 10.1.4.0 255.255.255.0
FO-ASA/C1(config-network-object)# exit  
FO-ASA/C1(config)# nat (inside,outside) source dynamic GlobalNats interface
FO-ASA/C1(config)# access-list Out->In extended permit icmp object GlobalNats any
FO-ASA/C1(config)# access-list Out->In extended permit icmp any object GlobalNats    
FO-ASA/C1(config)# 

Transparent(config)# access-list Out->In extended permit icmp host 10.1.16.254 any
Transparent(config)# access-list In->Out extended permit icmp any host 10.1.16.254
Transparent(config)# 

DMVPN-Hub1#ping 6.6.6.6       
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/21/27 ms
DMVPN-Hub1#

FO-ASA/C1(config)# sh xlate
3 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from Inside:4.4.4.4 to outside:10.1.16.200
    flags s idle 0:00:17 timeout 0:00:00
NAT from outside:0.0.0.0/0 to Inside:0.0.0.0/0
    flags sIT idle 0:00:03 timeout 0:00:00
ICMP PAT from Inside:10.1.4.4/3 to outside:10.1.16.254/3 flags ri idle 0:00:03 timeout 0:00:30
FO-ASA/C1(config)#
Nice! That is all the NATs set up. I kind of like having the transparent firewall in the way, it adds another level to the network, and is helping me think about the traffic flow, and what could potentially be blocking the traffic. The final thing to do is secure OSPF.

Securing OSPF

At the moment we have hidden several networks behind NAT, but they are still visible in the control plane of the other routers: 
EzVPN-Server#sh ip route ospf | b Gate
Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O E2     1.1.1.1 [110/20] via 10.1.9.2, 01:29:48, GigabitEthernet0/3
      3.0.0.0/32 is subnetted, 1 subnets
O IA     3.3.3.3 [110/14] via 10.1.9.2, 01:29:48, GigabitEthernet0/3
      4.0.0.0/32 is subnetted, 1 subnets
O        4.4.4.4 [110/14] via 10.1.9.2, 01:29:48, GigabitEthernet0/3
      5.0.0.0/32 is subnetted, 1 subnets
O        5.5.5.5 [110/3] via 10.1.9.2, 14:47:50, GigabitEthernet0/3
      10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
O        10.1.2.0/24 [110/15] via 10.1.9.2, 01:29:48, GigabitEthernet0/3
O        10.1.3.0/24 [110/14] via 10.1.9.2, 01:29:48, GigabitEthernet0/3
O        10.1.4.0/24 [110/13] via 10.1.9.2, 01:29:48, GigabitEthernet0/3
O        10.1.5.0/24 [110/13] via 10.1.9.2, 01:29:48, GigabitEthernet0/3
O        10.1.7.0/24 [110/2] via 10.1.9.2, 01:37:18, GigabitEthernet0/3
O        10.1.8.0/24 [110/2] via 10.1.9.2, 14:47:50, GigabitEthernet0/3
O        10.1.16.0/24 [110/3] via 10.1.9.2, 01:29:48, GigabitEthernet0/3
O        10.1.26.0/24 [110/3] via 10.1.9.2, 01:29:48, GigabitEthernet0/3
      80.0.0.0/32 is subnetted, 1 subnets
O        80.2.10.1 [110/15] via 10.1.9.2, 01:29:48, GigabitEthernet0/3
EzVPN-Server#
We need to reconfigure OSPF into area 0, and area 1, hiding the NATd subnets from going between the areas. So, let's set up the areas, and hide the NATd subnets: 
FO-ASA/C1(config)# sh run router
!
router ospf 16
 router-id 10.1.16.254
 network 10.1.4.0 255.255.255.0 area 0
 network 10.1.16.0 255.255.255.0 area 0
 log-adj-changes
!
FO-ASA/C1(config)# router ospf 16              
FO-ASA/C1(config-router)# no network 10.1.16.0 255.255.255.0 area 0
FO-ASA/C1(config-router)# network 10.1.16.0 255.255.255.0 area 1
FO-ASA/C1(config-router)# 

ISP-1(config)#router ospf 1
ISP-1(config-router)#network 10.1.16.0 0.0.0.255 area 1
ISP-1(config-router)#network 10.1.7.0 0.0.0.255 area 1
ISP-1(config-router)#network 10.1.26.0 0.0.0.255 area 1
ISP-1(config-router)#

FO-ASA/C1(config-router)# changeto con C2
FO-ASA/C2(config)# 
FO-ASA/C2(config)# sh run router
!
router ospf 26
 router-id 10.1.26.254
 network 10.1.5.0 255.255.255.0 area 0
 network 10.1.26.0 255.255.255.0 area 0
 log-adj-changes
!
FO-ASA/C2(config)# router ospf 26
FO-ASA/C2(config-router)# network 10.1.26.0 255.255.255.0 area 1
FO-ASA/C2(config-router)# 

ISP-2(config)#router ospf 1
ISP-2(config-router)#network 10.1.7.0 0.0.0.255 area 1
ISP-2(config-router)#
*Jul  1: %OSPF-6-AREACHG: 10.1.7.0/24 changed from area 0 to area 1
*Jul  1: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.16.1 on GigabitEthernet0/1 from LOADING to FULL, Loading Done
ISP-2(config-router)#network 10.1.8.0 0.0.0.255 area 1
*Jul  1: %OSPF-6-AREACHG: 10.1.8.0/24 changed from area 0 to area 1                               
ISP-2(config-router)#
ISP-2(config-router)#network 10.1.9.0 0.0.0.255 area 1
*Jul  1: %OSPF-6-AREACHG: 10.1.9.0/24 changed from area 0 to area 1
ISP-2(config-router)#

EzVPN-Server(config)#router ospf 1
EzVPN-Server(config-router)#network 6.6.6.6 0.0.0.0 area 1
EzVPN-Server(config-router)#
*Jul  1: %OSPF-6-AREACHG: 6.6.6.6/32 changed from area 0 to area 1                              
EzVPN-Server(config-router)#
EzVPN-Server(config-router)#network 10.1.9.0 0.0.0.255 area 1
EzVPN-Server(config-router)#
*Jul  1: %OSPF-6-AREACHG: 10.1.9.0/24 changed from area 0 to area 1
*Jul  1: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.7.2 on GigabitEthernet0/3 from LOADING to FULL, Loading Done
EzVPN-Server(config-router)#

DMVPN-Client(config)#router ospf 1
DMVPN-Client(config-router)#network 5.5.5.5 0.0.0.0 area 1
DMVPN-Client(config-router)#
*Jul  1: %OSPF-6-AREACHG: 5.5.5.5/32 changed from area 0 to area 1
DMVPN-Client(config-router)#
DMVPN-Client(config-router)#network 10.1.8.0 0.0.0.255 area 1
DMVPN-Client(config-router)#
*Jul  1: 10.1.8.0/24 changed from area 0 to area 1
DMVPN-Client(config-router)#
DMVPN-Client(config-router)#
*Jul  1: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.7.2 on GigabitEthernet0/2 from LOADING to FULL, Loading Done
DMVPN-Client(config-router)#
DMVPN-Client(config-router)#
Now we can hide the NATd subnets: 
FO-ASA(config)# changeto con C1
FO-ASA/C1(config)# router ospf 16
FO-ASA/C1(config-router)# area 0 range 10.1.4.0 255.255.255.0 not-advertise
FO-ASA/C1(config-router)# changeto con C2
FO-ASA/C2(config)# router ospf 26
FO-ASA/C2(config-router)# area 0 range 10.1.1.0 255.255.255.0 not-advertise
FO-ASA/C2(config-router)# area 0 range 10.1.2.0 255.255.255.0 not-advertise 
FO-ASA/C2(config-router)# area 0 range 10.1.3.0 255.255.255.0 not-advertise
FO-ASA/C2(config-router)# area 0 range 10.1.5.0 255.255.255.0 not-advertise
FO-ASA/C2(config-router)# 

EzVPN-Server#sh ip route ospf | b Gate
Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O E2     1.1.1.1 [110/20] via 10.1.9.2, 00:03:18, GigabitEthernet0/3
      4.0.0.0/32 is subnetted, 1 subnets
O IA     4.4.4.4 [110/14] via 10.1.9.2, 00:03:18, GigabitEthernet0/3
      5.0.0.0/32 is subnetted, 1 subnets
O        5.5.5.5 [110/3] via 10.1.9.2, 00:17:31, GigabitEthernet0/3
      10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
O        10.1.7.0/24 [110/2] via 10.1.9.2, 00:03:38, GigabitEthernet0/3
O        10.1.8.0/24 [110/2] via 10.1.9.2, 00:19:06, GigabitEthernet0/3
O        10.1.16.0/24 [110/3] via 10.1.9.2, 00:03:18, GigabitEthernet0/3
O        10.1.26.0/24 [110/3] via 10.1.9.2, 00:03:28, GigabitEthernet0/3
      80.0.0.0/32 is subnetted, 1 subnets
O IA     80.2.10.1 [110/15] via 10.1.9.2, 00:03:18, GigabitEthernet0/3
EzVPN-Server#
Perfect. The thing to remember here is that the area range command specifies the area we are coming from, not going to. So the command "area 1 range 10.1.2.0 255.255.255.0 not-advertise", for example, does not work. Now let's get OSPF authenticated and nice and secure! 
RTD-ASA(config)# router ospf 1
RTD-ASA(config-router)# area 0 authentication message-digest 
RTD-ASA(config-router)# int gi0/1
RTD-ASA(config-if)# ospf authentication message-digest 
RTD-ASA(config-if)# ospf message-digest-key 1 md5 cisco
RTD-ASA(config-if)# 

CA-Flex(config)#router ospf 1
CA-Flex(config-router)#area 0 authentication message-digest 
CA-Flex(config)#int gi0/1
CA-Flex(config-if)#ip ospf authentication message-digest 
CA-Flex(config-if)#ip ospf mess
CA-Flex(config-if)#ip ospf message-digest-key 1 md5 cisco
CA-Flex(config-if)#
Jul  1: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.2.254 on GigabitEthernet0/1 from LOADING to FULL, Loading Done
CA-Flex(config-if)#

CA-Flex(config-if)#int gi 0/3
CA-Flex(config-if)#ip ospf authentication message-digest
CA-Flex(config-if)#ip ospf message-digest-key 1 md5 cisco
CA-Flex(config-if)#

DMVPN-Hub2(config)#router ospf 1
DMVPN-Hub2(config-router)#area 0 authentication message-digest 
DMVPN-Hub2(config-router)#int gi 0/3
DMVPN-Hub2(config-if)#ip ospf authentication message-digest
DMVPN-Hub2(config-if)#ip ospf message-digest-key 1 md5 cisco
DMVPN-Hub2(config-if)#
DMVPN-Hub2(config-if)#int gi0/0
DMVPN-Hub2(config-if)#ip ospf authentication message-digest 
DMVPN-Hub2(config-if)#ip ospf message-digest-key 1 md5 cisco

RTD-ASA# sh ospf interface outside

Outside is up, line protocol is up  
  Internet Address 10.1.2.254 mask 255.255.255.0, Area 0 
  Process ID 1, Router ID 10.1.2.254, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 10.1.2.254, Interface address 10.1.2.254
  Backup Designated router (ID) 2.2.2.2, Interface address 10.1.2.2
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 0:00:08
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 2
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 2.2.2.2  (Backup Designated Router)
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled <=== This is what we are looking for!
    Youngest key id is 1
RTD-ASA# 

CA-Flex#sh ip ospf interface | i protocol|authentication
Loopback100 is up, line protocol is up 
GigabitEthernet0/3 is up, line protocol is up 
  Cryptographic authentication enabled
GigabitEthernet0/1 is up, line protocol is up 
  Cryptographic authentication enabled
CA-Flex#
I won't bore you with just repeating the same commands, but I set up authentication across the OSPF network. It's the same set of commands, so no point putting the entire lot here.

Ths now means we should be able to set up DMVPN in the next post.

CCIE Security lab: HQ ASAs - failover and stuff

05:40:00 Add Comment
Starting to make some headway now. In the previous post the LAN was set up within the HQ, and now we need to get the LAN talking to the WAN.

The HQ ASAs will be set up in a failover pair. We will also add a interface for vlan 1 to the switches, and set up a static route to the ASAs. Then we will set up NAT and see how far we can get in the topology.

Failover

First of all, let's set up LON-FW1: 
hostname LON-FW1
int e0
ip add 163.4.4.254 255.255.255.0 standby 163.4.4.252
nameif outside
int e1
ip add 10.1.1.254 255.255.255.0 standby 10.1.1.252
nameif inside
int e3
ip add 10.1.55.1 255.255.255.0 standby 10.1.55.2
nameif fover
route outside 0 0 163.4.4.1
exit
failover link fover
failover interface ip fover 10.1.55.1 255.255.255.0 standby 10.1.55.2
failover lan unit pri
failover replication http
failover lan interface fover e3
failover key cisco
failover
We don't need to add much to LON-FW2, pretty much just the failover configuration. However... if you do add things, such as setting the hostname to LON-FW2, then it will be easier to see that failover is working correctly. 
ciscoasa(config)# hostn LON-FW2
LON-FW2(config)# int e0
LON-FW2(config-if)# ip add 163.4.4.254 255.255.255.0 standby 163.4.4.252
LON-FW2(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
LON-FW2(config-if)# 
LON-FW2(config-if)# int e1
LON-FW2(config-if)# ip add 10.1.1.254 255.255.255.0 standby 10.1.1.252
LON-FW2(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
LON-FW2(config-if)# 
LON-FW2(config-if)# 
LON-FW2(config-if)# int e3
LON-FW2(config-if)# no sh
LON-FW2(config-if)# nameif fover
INFO: Security level for "fover" set to 0 by default.
LON-FW2(config-if)# exi
LON-FW2(config)# failover link fover
INFO: Non-failover interface config is cleared on Ethernet3 and its sub-interfaces
LON-FW2(config)# failover interface ip fover 10.1.55.1 255.255.255.0 standby 1.1.55.2
LON-FW2(config)# failover lan unit sec
LON-FW2(config)# failover replication http
LON-FW2(config)# failover key cisco
LON-FW2(config)# failover
LON-FW2(config)# failover lan interface fover e3
LON-FW2(config)# ..

        Detected an Active mate
Beginning configuration replication from mate.
ERROR: Password recovery was not changed, unable to access 
the configuration register.
Crashinfo is NOT enabled on Full Distribution Environment
End configuration replication from mate.

LON-FW1(config)# end
LON-FW1# sh interface ip brief 
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0                  163.4.4.252     YES CONFIG up                    up  
Ethernet1                  10.1.1.252      YES CONFIG up                    up  
Ethernet2                  unassigned      YES unset  administratively down up  
Ethernet3                  10.1.55.2       YES unset  up                    up  
LON-FW1#

A bit of housekeeping

A couple of housekeeping bits now. We need to get some routing from the switches to the firewalls: 
SW1(config)#int vlan 1
SW1(config-if)#ip add 10.1.1.3 255.255.255.0
SW1(config-if)#standby 1 ip 10.1.1.1 
SW1(config-if)#standby 1 pre delay min 60
SW1(config-if)#standby 1 pri 110
SW1(config-if)#
SW1(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.254

SW2(config)#int vlan 1
SW2(config-if)#ip add 10.1.1.2 255.255.255.0
SW2(config-if)#standby 1 ip 10.1.1.1 
SW2(config-if)#standby 1 pre delay min 60
SW2(config-if)#standby 1 pri 90
SW2(config-if)#no sh
SW2(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.254
SW2(config)#
SW2(config)#int ran gi 1/1 - 3
SW2(config-if-range)#swi mo acc
SW2(config-if-range)#swi acc vl 4
SW2(config-if-range)#no sh
SW2(config-if-range)#

SW4(config)#int ra gi1/2 - 3
SW4(config-if-range)#swi mo acc
SW4(config-if-range)#swi acc vl 4
SW4(config-if-range)#
We also need to set up the switch above the firewalls, and add a little something for the ASAs to talk to: 
Switch(config)#ho LON-SW
LON-SW(config)#int ra gi 0/0 - 2
LON-SW(config-if-range)#no sh
LON-SW(config-if-range)#swi mo acc
LON-SW(config-if-range)#swi acc vl 1
LON-SW(config-if-range)#

LON1(config)#int lo1
LON1(config-if)#ip vrf for 802101
% Interface Loopback1 IPv4 disabled and address(es) removed due to disabling VRF 802101
LON1(config-if)#ip add 31.32.33.34 255.255.255.255
LON1(config-if)#

LON-FW1# ping outside 31.32.33.34
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 31.32.33.34, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
LON-FW1#
I added this because the other devices are currently turned off, we don't really need them at the moment, but we do need to set up NAT on the firewalls, so that the LAN can talk to the WAN.

NAT

LON-FW1(config)# object-group network INSIDE-NAT-SUBNETS
LON-FW1(config-network-object-group)# network-object 10.1.1.0 255.255.255.0
LON-FW1(config-network-object-group)# network-object 10.1.4.0 255.255.255.0
LON-FW1(config-network-object-group)# network-object 10.1.9.0 255.255.255.0
LON-FW1(config-network-object-group)# network-object 10.1.20.0 255.255.255.0
LON-FW1(config-network-object-group)# network-object 10.1.21.0 255.255.255.0
LON-FW1(config-network-object-group)# network-object 10.1.99.0 255.255.255.0
LON-FW1(config-network-object-group)# exi
LON-FW1(config)# nat (inside,outside) after-auto source dynamic INSIDE-NAT-SUB$
LON-FW1(config)# route inside 10.1.0.0 255.255.0.0 10.1.1.1
LON-FW1(config)# 
LON-FW1(config)# access-list outside->in extended permit ip any any 
LON-FW1(config)# access-list outside->in extended permit icmp any any 
LON-FW1(config)# access-group outside->in in interface outside 
LON-FW1(config)# 
LON-FW1(config)# end
LON-FW1# sh run | i nat
LON-FW1#
Note that I have not included the 10.1.55.0/24 network, really we don't even need this on the switches, and it's kinda messed with the whole IP addressing thing anyway. But there we go.

It is working: 
ISE14/admin# ping 31.32.33.34
PING 31.32.33.34 (31.32.33.34) 56(84) bytes of data.
64 bytes from 31.32.33.34: icmp_seq=1 ttl=254 time=19.2 ms
64 bytes from 31.32.33.34: icmp_seq=2 ttl=254 time=20.4 ms
64 bytes from 31.32.33.34: icmp_seq=3 ttl=254 time=19.0 ms
64 bytes from 31.32.33.34: icmp_seq=4 ttl=254 time=14.4 ms

--- 31.32.33.34 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3019ms
rtt min/avg/max/mdev = 14.425/18.296/20.445/2.300 ms

ISE14/admin#
This is from a Windows host in VLAN 4:
So the Firewalls as set up in Active/Standby HA, we have NAT working and our inside hosts can talk to devices beyond the firewalls.

The new switch has arrived, so I can start to play around with that. I'll need to set up UNL to use a separate NIC for this, and that will be in a later post. Till then, it's really starting to take shape!

How to NAT private IP address within a VPN

05:34:00 1 Comment
Continuing from the little lab I built up in the last post, where I looked at how to get Windows 7 running natively in UNetLab, I now am looking at how we can perform NAT inside of an IPSec tunnel.

I am using the following for this:

2x Windows 7 (Pro), with VLC, Putty, JRE and ASDM installed
2x IOSv Layer 2 switches (running 15.2)
2x ASAv (running 9.4(1))
1x IOSv (running 15.5) - AKA "Internet".

All of these are within UNetLab, which is, so far, coping nicely with just the 8GB ram that Fusion seems to allow, but I really should put it on my ESXi server. I have seen ways to get around the 8GB limit, but every time I try, Fusion says its unsupported, and drops it down to 32Kb. It's a challenge.

The topology looks like this (note not everything is started just yet):



The end goal is that we have a VPN between the two ASAs, with HQ performing NAT to mask the traffic inside the VPN tunnel. You may be asking "Why the hell would you ever need to do that?", and it's a very good question, really it's not something you'd have to do often, but there are those times when someone doesn't like RFC1918 addresses going across a VPN tunnel, or (more commonly) you need to VPN to another site that has overlapping internal subnets.

Basic IP addressing (all /24):

Interface IP Address
DMZ-Server10.1.1.10 (default gateway 10.1.1.254)
HQ Gi0/310.1.1.1
HQ Gi0/11.1.1.2
Internet Gi0/01.1.1.1
Internet Gi0/12.2.2.1
Client Gi0/12.2.2.2
Client Gi0/3 10.200.1.1
Client-PC 10.200.1.10 (default gateway 10.200.1.254)

HQ Switch configuration

Very basic, just one vlan, and a VIF: 
Switch#sh vlan | i VLAN0011
11   VLAN0011                         active    Gi0/0, Gi0/1, Gi0/2, Gi0/3
Switch#sh ip int bri | e unas
Interface              IP-Address      OK? Method Status                Protocol
Vlan11                 10.1.1.254      YES manual up                    up      

Switch#

Basic (HQ) ASA setup.

Below is enough to get us started, and onto ASDM from our DMZ-Server:
hostname HQ
!
interface GigabitEthernet0/1
 nameif Outside
 security-level 0
 ip address 1.1.1.2 255.255.255.0 
!
interface GigabitEthernet0/3
 nameif DMZ
 security-level 50
 ip address 10.1.1.1 255.255.255.0 
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
route Outside 0.0.0.0 0.0.0.0 1.1.1.1 1
!
user-identity default-domain LOCAL
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 10.1.1.0 255.255.255.0 DMZ
!
ssh 1.1.1.1 255.255.255.255 Outside
ssh 10.1.1.0 255.255.255.0 DMZ
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
!
username stuart password p60UDLdMNnbR8IQ. encrypted
!

The set-up for the Client ASA is not much different, and similarly, on the Client switch we have one VLAN (200), and a VIF of 10.200.1.254:
Switch#sh vlan | i VLAN0200  
200  VLAN0200                         active    Gi0/0, Gi0/1, Gi0/2, Gi0/3
Switch#sh ip int bri | e unas
Interface              IP-Address      OK? Method Status                Protocol
Vlan200                10.200.1.254    YES manual up                    up      

Switch#

So far we should be able to ping from our Windows PCs to our ASAs:


Basic Internet access (our first NAT).

On the Internet router, we have a loopback interface with the IP address 8.8.8.8/32. We should be able to give ourselves access to this. It's working directly from the HQ ASA at the moment:
HQ# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
HQ#
The first NAT rule "connects" the DMZ interface to the Outside interface: 
HQ(config)# nat (DMZ,Outside) after-auto source dynamic any interface 
HQ(config)#
If we follow it through, we can see that the rule will be placed last in the NAT rules table (after-auto). We match the DMZ and the Outside interfaces (our source network and the one we want to get to). We set a source of dynamic, meaning we can have more than one host behind this network, and we allow any source using the "any" keyword. Lastly we nat this through to the interface IP address given to our Outside interface.

I did have to use the command "fixup protocol icmp" in order to get the ping to work. The ASA will convert this into the following command:
HQ(config)# policy-map global_policy
HQ(config-pmap)# class inspection_default
HQ(config-pmap-c)# inspect icmp
HQ(config-pmap-c)#
So now we also have "Internet" access (to a loopback on the Internet router):


Let's go ahead and set up the other side, and make sure that they can also ping the "Internet":
Client# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/30 ms
Client#conf t
Client(config)# policy-map global_policy
Client(config-pmap)# class  inspection_default
Client(config-pmap-c)# inspect icmp
Client(config-pmap-c)# exit
Client(config-pmap)#exit
Client(config)# nat (Inside,Outside) source  dynamic any interf
Client(config)#
Great! Now the client should have access:


Now we can begin to create our VPN between the two sides.

Site-to-Site (L2L) IPSec VPN on Cisco ASAs

We start with a couple of network objects, and an access-list:
Client(config)# object network MyInsideNetwork
Client(config-network-object)# subnet 10.200.1.0 255.255.255.0
Client(config-network-object)# exit
Client(config)# object network TheirRemoteNetwork
Client(config-network-object)# subnet 10.1.1.0 255.255.255.0
Client(config-network-object)# exit
Client(config)# access-list Outside_cryptomap extended permit ip object MyInsideNetwork object TheirRemoteNetwork
Now we can start to define how we are going to talk to other peers: 
Client(config)# nat (Inside,Outside) source static MyInsideNetwork MyInsideNetwork destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
Client(config)#crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
Client(config)# crypto ipsec ikev2 ipsec-proposal AES256
Client(config-ipsec-proposal)# protocol esp encryption aes-256
Client(config-ipsec-proposal)# protocol esp integrity sha-1 md5
Client(config-ipsec-proposal)# exi
Client(config)# crypto ikev2 policy 1 
Client(config-ikev2-policy)# encryption aes-256
Client(config-ikev2-policy)# integrity sha
Client(config-ikev2-policy)# group 2
Client(config-ikev2-policy)# prf sha
Client(config-ikev2-policy)# lifetime seconds 86400
Client(config-ikev2-policy)# exi
Client(config)# crypto ikev1 policy 10
Client(config-ikev1-policy)# authentication pre-share 
Client(config-ikev1-policy)# encryption aes-256 
Client(config-ikev1-policy)# hash sha
Client(config-ikev1-policy)# group 2
Client(config-ikev1-policy)# lifetime 86400
Client(config-ikev1-policy)# exi
Client(config)# crypto ikev2 enable Outside
Client(config)# crypto ikev1 enable Outside
Client(config)#
Then we create the VPN, trying to keep it as generic as possible so that it is nice and easy to paste onto our other ASA: 
Client(config)# crypto map Outside_map 1 match address Outside_cryptomap
Client(config)# crypto map Outside_map 1 set peer 1.1.1.2               
Client(config)# crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
Client(config)# crypto map Outside_map 1 set ikev2 ipsec-proposal AES256
Client(config)# crypto map Outside_map interface Outside               
Client(config)# group-policy MyPeer internal             
Client(config)# group-policy MyPeer attributes 
Client(config-group-policy)# vpn-tunnel-protocol ikev1 ikev2
Client(config-group-policy)# tunnel-group 1.1.1.2 type ipsec-l2l   
Client(config)# tunnel-group 1.1.1.2 general-attributes 
Client(config-tunnel-general)# default-group-policy MyPeer
Client(config-tunnel-general)# exi
Client(config)# tunnel-group 1.1.1.2 ipsec-attributes 
Client(config-tunnel-ipsec)# ikev1 pre-shared-key MyKey
Client(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key MyKey
INFO: You must configure ikev2 local-authentication pre-shared-key
      or certificate to complete authentication.
Client(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key MyKey
Client(config-tunnel-ipsec)#
Moving on to the other (HQ) ASA, we can (with a minor edit here and there) paste in the same config: 
HQ(config)# object network MyInsideNetwork
HQ(config-network-object)# subnet 10.1.1.0 255.255.255.0
HQ(config-network-object)# exit
HQ(config)# object network TheirRemoteNetwork
HQ(config-network-object)# subnet 10.200.1.0 255.255.255.0
HQ(config-network-object)# exit
HQ(config)# access-list Outside_cryptomap extended permit ip object MyInsideNetwork object TheirRemoteNetwork
HQ(config)# nat (Inside,Outside) source static MyInsideNetwork MyInsideNetwork destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
HQ(config)# crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
HQ(config)# crypto ipsec ikev2 ipsec-proposal AES256
HQ(config-ipsec-proposal)# protocol esp encryption aes-256
HQ(config-ipsec-proposal)# protocol esp integrity sha-1 md5
HQ(config-ipsec-proposal)# exi
HQ(config)# crypto ikev2 policy 1 
HQ(config-ikev2-policy)# encryption aes-256
HQ(config-ikev2-policy)# integrity sha
HQ(config-ikev2-policy)# group 2
HQ(config-ikev2-policy)# prf sha
HQ(config-ikev2-policy)#  lifetime seconds 86400
HQ(config-ikev2-policy)# exi
HQ(config)# crypto ikev1 policy 10
HQ(config-ikev1-policy)# authentication pre-share 
HQ(config-ikev1-policy)# encryption aes-256 
HQ(config-ikev1-policy)# hash sha
HQ(config-ikev1-policy)# group 2
HQ(config-ikev1-policy)# lifetime 86400
HQ(config-ikev1-policy)# exi
HQ(config)# crypto ikev2 enable Outside
HQ(config)# crypto ikev1 enable Outside
HQ(config)# crypto map Outside_map 1 match address Outside_cryptomap
HQ(config)# crypto map Outside_map 1 set peer 2.2.2.2               
HQ(config)# crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
HQ(config)# crypto map Outside_map 1 set ikev2 ipsec-proposal AES256
HQ(config)# crypto map Outside_map interface Outside               
HQ(config)# group-policy MyPeer internal             
HQ(config)# group-policy MyPeer attributes 
HQ(config-group-policy)# vpn-tunnel-protocol ikev1 ikev2
HQ(config-group-policy)# tunnel-group 2.2.2.2 type ipsec-l2l   
HQ(config)# tunnel-group 2.2.2.2 general-attributes 
HQ(config-tunnel-general)# default-group-policy MyPeer
HQ(config-tunnel-general)# exi
HQ(config)# tunnel-group 2.2.2.2 ipsec-attributes 
HQ(config-tunnel-ipsec)#  ikev1 pre-shared-key MyKey
HQ(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key MyKey
INFO: You must configure ikev2 local-authentication pre-shared-key
      or certificate to complete authentication.
HQ(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key MyKey
HQ(config-tunnel-ipsec)#
And boom! We have a working VPN:


Traffic works the other way as well.



OK, so now that we have a working VPN, let's see if we can NAT on the HQ side.

NAT and Site-to-Site VPNs

In order that we can hide our 10.1.1.0/24 network behind a new network (192.168.1.0/24), we need to add another network object to HQ, add a NAT rule, an access-list, and finally edit our crypto map to reference the access-list:
HQ(config)# object network YouSeeMeAs
HQ(config-network-object)# subnet 192.168.1.0 255.255.255.0
HQ(config-network-object)# exi
HQ(config)#nat (DMZ,Outside) source static MyInsideNetwork YouSeeMeAs destination static TheirRemoteNetwork TheirRemoteNetwork
HQ(config)#access-list Hidden_CryptoMap extended permit ip object YouSeeMeAs object TheirRemoteNetwork
HQ(config)#crypto map Outside_map 1 match address Hidden_CryptoMap
Now we need to change the other side to look towards the 192.168.1.0 traffic (instead of the 10.1.1.0/24 network):



Once we send some traffic between the two sites, our VPN should get established.



Quite nicely, it's preserving (or reserving) the final octet for us. However, we are now only good for being called into. Our pings from HQ to the Client fail:



OK, so how do we get both sides working, instead of this one-way traffic that we have? Well, let's try and work out what's happening.
HQ# sh nat detail 
Manual NAT Policies (Section 1)
1 (DMZ) to (Outside) source static MyInsideNetwork MyInsideNetwork   destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
    translate_hits = 32, untranslate_hits = 32
    Source - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24
    Destination - Origin: 10.200.1.0/24, Translated: 10.200.1.0/24
2 (DMZ) to (Outside) source static MyInsideNetwork YouSeeMeAs   destination static TheirRemoteNetwork TheirRemoteNetwork
    translate_hits = 7, untranslate_hits = 7
    Source - Origin: 10.1.1.0/24, Translated: 192.168.1.0/24
    Destination - Origin: 10.200.1.0/24, Translated: 10.200.1.0/24

Manual NAT Policies (Section 3)
1 (DMZ) to (Outside) source dynamic any interface  
    translate_hits = 66, untranslate_hits = 59
    Source - Origin: 0.0.0.0/0, Translated: 1.1.1.2/24
HQ#
This is our NAT table. And here is a very long packet-tracer output: 
HQ# packet-tracer input DMZ icmp 10.1.1.10 1 7 10.200.1.10 detailed 

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 1.1.1.1 using egress ifc  Outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork MyInsideNetwork destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Outside
Untranslate 10.200.1.10/0 to 10.200.1.10/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 any any 
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object icmp 
 service-object icmp echo
 service-object icmp echo-reply
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcd5403e0, priority=13, domain=permit, deny=false
        hits=48, user_data=0x7fffd8e59d00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 4
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork MyInsideNetwork destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
Additional Information:
Static translate 10.1.1.10/0 to 10.1.1.10/0
 Forward Flow based lookup yields rule:
 in  id=0x7fffce1821f0, priority=6, domain=nat, deny=false
        hits=29, user_data=0x7fffce14e060, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=10.200.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=Outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcd2d74f0, priority=0, domain=nat-per-session, deny=true
        hits=270, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW 
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcdabbd30, priority=0, domain=inspect-ip-options, deny=true
        hits=522, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 7
Type: QOS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcd9ecd50, priority=70, domain=qos-per-class, deny=false
        hits=191, user_data=0x7fffcd9eca20, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 8      
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcda4d390, priority=70, domain=inspect-icmp, deny=false
        hits=44, user_data=0x7fffce13f110, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:       
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcdabb5e0, priority=66, domain=inspect-icmp-error, deny=false
        hits=128, user_data=0x7fffcdabab40, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork MyInsideNetwork destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fffce182df0, priority=6, domain=nat-reverse, deny=false
        hits=29, user_data=0x7fffce14e160, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=10.200.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=Outside

Phase: 11     
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 376, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

HQ#
In Phase 1 we find out egress interface.  We only have one, so it's no surprise. In Phase 2 we hit our first NAT rule - out 10.1.1.0/24 to their 10.200.1.0/24.

In Phase 3 we check (and pass) out ACLs, and in Phase 4 we perform NAT, again we hit the first NAT rule, translating our 10.1.1.10/24 client address to itself.

In Phases 5, 6 and 7 we perform per-session NAT, check the IP-Options and any QoS - all of these pass.

Phases 8 and 9 are np-inspects, these pass.

Phase 10 is a RPF (Reverse Path Forwarding) check, and this passed, so then its on to the final flow-creation.

So all looks good there, we don't see any failures. However, we can see that the ACL we are hitting is the original one - before we implemented NAT within our VPN tunnel. Therefore the Client ASA will be seeing traffic come over the VPN with an incorrect endpoint address. So lets just pop over to ASDM (because it's much easier) and try moving the order of our NAT statements around.

Before:



After:


Now (thankfully), our DMZ-Client PC can access the Guest-PC:


As a final note, let's have a look at the packet tracer again and see the difference (I have truncated the output this time to make it a bit easier):
HQ# sh nat detail                                                   
Manual NAT Policies (Section 1)
1 (DMZ) to (Outside) source static MyInsideNetwork YouSeeMeAs   destination static TheirRemoteNetwork TheirRemoteNetwork
    translate_hits = 15, untranslate_hits = 15
    Source - Origin: 10.1.1.0/24, Translated: 192.168.1.0/24
    Destination - Origin: 10.200.1.0/24, Translated: 10.200.1.0/24
2 (DMZ) to (Outside) source static MyInsideNetwork MyInsideNetwork   destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24
    Destination - Origin: 10.200.1.0/24, Translated: 10.200.1.0/24

Manual NAT Policies (Section 3)
1 (DMZ) to (Outside) source dynamic any interface  
    translate_hits = 66, untranslate_hits = 59
    Source - Origin: 0.0.0.0/0, Translated: 1.1.1.2/24
HQ# packet-tracer input DMZ icmp 10.1.1.10 1 7 10.200.1.10 detailed 

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork YouSeeMeAs destination static TheirRemoteNetwork TheirRemoteNetwork
Additional Information:
NAT divert to egress interface Outside
Untranslate 10.200.1.10/0 to 10.200.1.10/0

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 any any 
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object icmp 
 service-object icmp echo
 service-object icmp echo-reply

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork YouSeeMeAs destination static TheirRemoteNetwork TheirRemoteNetwork
Additional Information:
Static translate 10.1.1.10/0 to 192.168.1.10/0

Phase: 4
Type: NAT     
Subtype: per-session
Result: ALLOW

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW

Phase: 6
Type: QOS
Subtype: 
Result: ALLOW

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
              
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork YouSeeMeAs destination static TheirRemoteNetwork TheirRemoteNetwork

Phase: 11
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 392, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
              
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

HQ#
So, here we can see that the order of NAT is extremely important.

Hope you have enjoyed the post!

Volume 3: VPNs and NAT

10:20:00 9 Comments
With just a mere 45 days until my lab exam, I am happy to announce that the third volume in the Routing and Switching series; VPNs and NAT for Cisco Networks, has been published to the Kindle store today.

Getting the Kindle formatting has been much easier this time around, as I have used Kindle Textbook Creator, taking the printed version's PDF file, and converting straight from that.

The end result is that it looks the same as the print version (which should be available in a couple of days) which is out now.


This volume starts off with basic GRE tunnels, and build them into an IPSec-secured, optimized and tuned DMVPN network. We also look at "standard" site to site VPNs, before moving onto NAT, and IPv6 transition mechanisms.
I have kept the cost the same as the other volumes, and as usual, it's closely aligned with the CCIE Routing and Switching v5 syllabus. That said, I hope that it is accessible to readers of any level.

I am currently working on volume 4 (Multicast and QoS), and looking at volume 5 (Services). Volume 5 will, most likely, be the end of this series. I could go further, such as IPv6 and the IGPs, but to be honest I don't see that happening at the moment, as after volumes 4 and 5 I have another two books in mind, which are not (directly) related to the Routing and Switching track. This is, of course, unless anyone has any excellent ideas for more books, then I am all ears!

Anyway, I hope you enjoy it.

Design the next cover, win an Amazon voucher and a free copy of the next book!

03:22:00 Add Comment
Volume 2 is nearly completed, I have ordered the first proof copy so I can check layout, image quality, and how things line up compared to the first one (purely from a layout perspective). Beau, my technical editor, is still going through it, but it should be coming soon.

So, what's next?

Originally I had planned to to the IGPs (RIP, OSPF, EIGRP and IS-IS) next, but instead I have chosen to do "VPNs and NAT for Cisco Networks" for volume 3. In this volume I'll cover GRE, DMVPN, GETVPN and NAT technologies for both IPv4 and IPv6, I think this follows the progression nicer as we have started off with the global view of BGP, the larger scale enterprise with MPLS, and not we can start to look at connecting smaller sites together using VPNs, and with that NAT technologies. I think it'll lead on to the IGPs for volume 4 better this way.

Now I need a new cover design, and this is where you come in.

Have a look at the existing covers:



BGP (in my view) looks like a very interconnected world, highlighting the importance of BGP in our global internet, and MPLS looks like fewer connections, for the company to company networks.

For the next volume I am looking for something similar, abstract, yet understandable within the context of the book. I would like to use the same colors to keep within the running theme, or as this is a steady progression as we move into the IGPs, then maybe green, I like green as well. We don't have to stick with the circular "globe".

So if you want to have a go, then hopefully you can see what I am looking for. I would need this in a Photoshop PSD file of 7.5 x 9.25 (inches), I can handle the text part.

The end date for this will be December 1st.

The winner will receive a copy of the next book, and a £50 Amazon voucher (or equivalent in your local currency, i.e. $80 USD).

Email me: stu @ 802101 .com (remove the spaces...)
Subscribe to: Posts (Atom)