Monday, April 29, 2013

Cisco ASA Static NAT Multiple Global IPs to Single Real IP

I am finally getting comfortable with Cisco ASA Object NAT introduced with software version 8.3. I like that ACLs use the real IP address not the global/translated IP Address.

I am still struggling when in the CLI trying to parse the different elements of the of the object because there are two "object network XYX" references in the configuration, one for the host and one for the NAT mapping.

Now on to the NAT fun....

I had an interesting Static NAT configuration scenario with Cisco ASA software version 9.1(1) recently. A customer has a domain registered and hosts their own public DNS servers. Originally they had two Authoritative Name Servers (NS) with different IP Addresses.

NS1
Public IP X.X.X.1
Private IP Z.Z.Z.1

NS2
Public IP X.X.X.2
Private IP Z.Z.Z.2

The ASA had the standard object with static nat translations:

object network inside-NS1
 host Z.Z.Z.1
 nat (inside,outside) static X.X.X.1
!
object network inside-NS2
 host Z.Z.Z.2
 nat (inside,outside) static X.X.X.2


They wanted to decommission the NS2. The NS records with the Internet Domain Name Registrar where updated, NS2 was powered off, and object inside-NS2 NAT and access list references was removed from the ASA configuration.

After a few days I saw in the ASA logs, packets blocked for DNS requests to X.X.X.2/Z.Z.Z.2. Since there was no long a real server at Z.Z.Z.2 I could not recreate the NAT translation.

I found Cisco documentation for Static NAT with One-to-Many. This allows for multiple public/global/outside IP addresses to be mapped to a single real/internal address.

1st we have to remove the remaining NS1 translation

object network inside-NS1
 host Z.Z.Z.1
 no nat (inside,outside) static X.X.X.1


2nd we create the object range for the global/outside addresses

object network outside-ns1-ns2
 range X.X.X.1 X.X.X.2


3rd we add a new nat statement

object network inside-ns1
 host Z.Z.Z.1
 nat (inside,outside) static outside-ns1-ns2


The nice thing about this solution is how it handles traffic flows. When Internet traffic sent to X.X.X.1, the returning traffic has a source IP of X.X.X.1, and Internet traffic sent to X.X.X.2, the returning traffic has a source IP of X.X.X.2.

Cisco ASA One to Many Static NAT
Cisco ASA One to Many Static NAT



For this post:
 X.X.X.# = external, public, Internet routable IP Addresses
Z.Z.Z.# = internal, private, IP Addresses.

References:
Cisco Support Forums ASA 8.3 Upgrade - What You Need to Know
Cisco ASA CLI Configuration Guide, 9.0


Home

Saturday, April 27, 2013

A Network Engineer Jumps into VMware with The Official VCP5 Certification Guide

Assistant Network Engineer Recovering from stressful day dealing with SAN Admins
My Assistant Network
Engineer Margo.
I have worked in the IT industry for 18 years. All this time I have been focused on the Network and Network Infrastructure. I have worked on everything network, from Token Ring to ATM, Frame Relay to MPLS, 10Mbps Ethernet to Fibre Channel over Ethernet, and even Fibre Channel over Token Ring.

I decided I was ready to officially jump into virtualization. I say officially because 1) I have been "touching" VMware for the last two years and 2) I'm ready to earn VCP5 certification.

To start my journey, I recently attended the vSphere 5.1 Install, Manage, and Configure class (the official class is required for VCP5 certification). The class was great for the lecture, lab, and discussion. I needed more. To prepare for the VCP5 Exam I also need a guide to further solidify my understanding.

I am making my way through The Official VCP5 Certification Guide (VMware Press Certification). This book is great! Each section provides thorough details and explanations.

Given my networking background, I enjoyed the section "Planning and Configuring vSphere Networking". I have to admit, I have felt a little out-of-the-loop when the Virtualization guys talk about virtual switches, virtual ports, virtual networks. I'm the networking guy!! I'm supposed to be working on anything with the word "network" in it. Here they are building virtual networks I know nothing about....Rude!

The book has also helped me understand storage (don't get me started on being left out with Fibre-Channel and iSCSI networking). Storage is an area that I felt was surprisingly complicated. I saw an enclosure with a bunch of hard drives connected to a mysterious box called a "Controller" and all was good. Storage admins started talking all "Zone this", "LUN that", "my HBA flogged the target via the WWN". I think the Jets and the Sharks have been replaced with the SANs and the LANs.

Thanks to Bill Ferguson's "The Official VCP5 Certification Guide" my studies in VMware vSphere are flourishing. The book is well written, provides thorough and precise explanations. I will schedule my VCP5 exam in the next few weeks and provide an update.

Thumbs Up, Great Book!!
Billy Carter
CCIE 5022