Tuesday, November 26, 2013

GNS3 labs

Just playing with some NAT capabilities...

Topology #1



I'm trying to emulate something we have similar at work.  We have two networking boundaries with two separate IP spaces.  One side is using a 10.X.X.X while the other is using 192.168.X.X.

I'm using all zero default routes on the edge routers to point to the boundary devices.  VEND-RTR1 and VEND-RTR2 point to the fa0/1 IP address of VEND-RTR (192.168.0.1), while the CORE router gets its route via a redistributed static route on the BORDER-RTR.  

On the BORDER-RTR i'm using a static route for 192.168.0.0 255.255.0.0 to point to 66.170.150.2.
On the VEND-RTR i'm using a static route for 10.0.0.0 255.0.0.0 to point to 66.170.150.1.

Currently, the 10.X.X.X address space can reach the various 192.168.X.X networks and vise-versa. 

Now--I want to try and set up a static NAT so to change the IP address of the two vendor networks (192.168.50.1 and 192.168.100.1) so that of a 10.X.X.X that is managed by the company on the left.  This could prove to be helpful in the event of an overlapping IP space.

First off, I identify on the BORDER-RTR which interfaces are the inside and which are the outside.















Once we've identified the inside versus outside interfaces, the change is pretty simple.  



Here, we are identifying the outside global network (192.168.50/100.0) and which is the outside local network (10.146/147.0.0).  To test, we can go to VEND-RTR2 and perform a debug ip packet detail to confirm that the traffic is getting there when pinging 10.147.0.1 from the CORE router.






















As seen above, we are seeing the traffic from the CORE router's ping make it to the router on the vendor side where the particular network resides.








Above is the output of performing a sh ip nat translations on the BORDER-RTR.  We can see the NAT translation being built between 10.147.0.1 and 192.168.50.1

Topology #2



This setup is similar to topology #1.  The main difference is that instead of using Cisco 2691s running Version 12.4(25c) as the border devices, we are using Cisco 5520 ASAs running  Version 8.4(2).

First off, I've created a couple of network objects (to be used in the NAT statement):









Once we've created the object lists, the NAT statement for the DISHASA is pretty straightforward.




We are essentially saying "Anything with a source address coming into the outside interface that matches X, change the source to Y."

Note: It is important to indicate which interface is the inside/outside.  What really indicates the outside/inside would be the security level.  The default for the outside interface is 0 and the default for the inside interface is 100.

Posted by at No comments:
Subscribe to: Posts (Atom)