Cisco ASA Static NAT Multiple Global IPs to Single Real IP

I am finally getting comfortable with Cisco ASA Object NAT introduced with software version 8.3. I like that ACLs use the real IP address not the global/translated IP Address.

I am still struggling when in the CLI trying to parse the different elements of the of the object because there are two "object network XYX" references in the configuration, one for the host and one for the NAT mapping.

Now on to the NAT fun....

I had an interesting Static NAT configuration scenario with Cisco ASA software version 9.1(1) recently. A customer has a domain registered and hosts their own public DNS servers. Originally they had two Authoritative Name Servers (NS) with different IP Addresses.

NS1
Public IP X.X.X.1
Private IP Z.Z.Z.1

NS2
Public IP X.X.X.2
Private IP Z.Z.Z.2

The ASA had the standard object with static nat translations:

object network inside-NS1
 host Z.Z.Z.1
 nat (inside,outside) static X.X.X.1
!
object network inside-NS2
 host Z.Z.Z.2
 nat (inside,outside) static X.X.X.2


They wanted to decommission the NS2. The NS records with the Internet Domain Name Registrar where updated, NS2 was powered off, and object inside-NS2 NAT and access list references was removed from the ASA configuration.

After a few days I saw in the ASA logs, packets blocked for DNS requests to X.X.X.2/Z.Z.Z.2. Since there was no long a real server at Z.Z.Z.2 I could not recreate the NAT translation.

I found Cisco documentation for Static NAT with One-to-Many. This allows for multiple public/global/outside IP addresses to be mapped to a single real/internal address.

1st we have to remove the remaining NS1 translation

object network inside-NS1
 host Z.Z.Z.1
 no nat (inside,outside) static X.X.X.1


2nd we create the object range for the global/outside addresses

object network outside-ns1-ns2
 range X.X.X.1 X.X.X.2


3rd we add a new nat statement

object network inside-ns1
 host Z.Z.Z.1
 nat (inside,outside) static outside-ns1-ns2


The nice thing about this solution is how it handles traffic flows. When Internet traffic sent to X.X.X.1, the returning traffic has a source IP of X.X.X.1, and Internet traffic sent to X.X.X.2, the returning traffic has a source IP of X.X.X.2.

Cisco ASA One to Many Static NAT
Cisco ASA One to Many Static NAT



For this post:
 X.X.X.# = external, public, Internet routable IP Addresses
Z.Z.Z.# = internal, private, IP Addresses.

References:
Cisco Support Forums ASA 8.3 Upgrade - What You Need to Know
Cisco ASA CLI Configuration Guide, 9.0


Home

A Network Engineer Jumps into VMware with The Official VCP5 Certification Guide

Assistant Network Engineer Recovering from stressful day dealing with SAN Admins
My Assistant Network
Engineer Margo.
I have worked in the IT industry for 18 years. All this time I have been focused on the Network and Network Infrastructure. I have worked on everything network, from Token Ring to ATM, Frame Relay to MPLS, 10Mbps Ethernet to Fibre Channel over Ethernet, and even Fibre Channel over Token Ring.

I decided I was ready to officially jump into virtualization. I say officially because 1) I have been "touching" VMware for the last two years and 2) I'm ready to earn VCP5 certification.

To start my journey, I recently attended the vSphere 5.1 Install, Manage, and Configure class (the official class is required for VCP5 certification). The class was great for the lecture, lab, and discussion. I needed more. To prepare for the VCP5 Exam I also need a guide to further solidify my understanding.

I am making my way through The Official VCP5 Certification Guide (VMware Press Certification). This book is great! Each section provides thorough details and explanations.

Given my networking background, I enjoyed the section "Planning and Configuring vSphere Networking". I have to admit, I have felt a little out-of-the-loop when the Virtualization guys talk about virtual switches, virtual ports, virtual networks. I'm the networking guy!! I'm supposed to be working on anything with the word "network" in it. Here they are building virtual networks I know nothing about....Rude!

The book has also helped me understand storage (don't get me started on being left out with Fibre-Channel and iSCSI networking). Storage is an area that I felt was surprisingly complicated. I saw an enclosure with a bunch of hard drives connected to a mysterious box called a "Controller" and all was good. Storage admins started talking all "Zone this", "LUN that", "my HBA flogged the target via the WWN". I think the Jets and the Sharks have been replaced with the SANs and the LANs.

Thanks to Bill Ferguson's "The Official VCP5 Certification Guide" my studies in VMware vSphere are flourishing. The book is well written, provides thorough and precise explanations. I will schedule my VCP5 exam in the next few weeks and provide an update.

Thumbs Up, Great Book!!
Billy Carter
CCIE 5022

Meraki and the The Cisco Cloud Networking Group

I think this is the most interesting part of the acquisition;

Cisco Acquisition of Meraki"Cisco’s strategy is to take Meraki’s cloud platform and business model and scale this within Cisco as our new Cloud Networking Group, led by Sanjit, John, and Hans."
I wonder if any existing Cisco groups will be moved into the Cloud Networking Group.



Cisco Announces Intent to Acquire Meraki

 | November 18, 2012 at 5:34 pm PST

Cisco is dedicated to innovation as the path to growth as well as the key to sustaining our market leadership position. Our build, buy, partner strategy has always been driven by customer need and on capturing market transitions.

Today, we are excited to announce an important acquisition that addresses the rapidly occurring shift to cloud networking as a key part of Cisco’s overall strategy. San Francisco-based Meraki, a leader in cloud networking, offers customers on-premise networking solutions that are centrally managed from the cloud.

When compared to other opportunities, Meraki built a unique cloud-based business from the ground up that addresses the broader networking shift towards cloud, not just within wireless. Meraki created a massively scalable architecture that offers easy to deploy, secure, and manage networks. They didn’t obsess about the number of features, but instead focused on those that could be simplified or removed entirely.  Customers liked what they saw, and today they are supporting 20,000 customers and hundreds of thousands of network devices on their cloud platform. This has resulted in a business that is growing exponentially with great margins.

Talent is one of the most important components of every Cisco acquisition. Meraki’s co-founders, Sanjit, John and Hans, are true visionaries and leaders. The founders began with the technology, and then experimented with different markets -- pivoting from a research project at MIT to a municipal Wi-Fi company to a leading cloud networking company focused on the midmarket. Along the way, they recruited experts and created a culture in San Francisco that attracted great talent. They have focused this team around a business model that combines a rapid development methodology tightly linked to a go to market engine.

During the course of our interactions, we quickly realized that Cisco and Meraki’s shared a vision of accelerating the adoption of cloud within networking as a means to simplify operations and enable new network applications. Sequoia Capital, an early investor in Cisco, also recognized the strength of the people at Meraki, and it’s great to see the technology ecosystem come full circle.

The Meraki acquisition is another example of Cisco’s focus on accelerating our adoption of software based business models. In fact, Cisco’s last seven acquisitions (Cloupia, vCider, ThinkSmart, Virtuata, Truviso, ClearAccess and NDS) have all been software companies. Cisco’s strategy is to take Meraki’s cloud platform and business model and scale this within Cisco as our new Cloud Networking Group, led by Sanjit, John, and Hans.

I am delighted to welcome the Meraki team to the Cisco family, and look forward to a prosperous and industry-transforming future together.


Home

Over 50 FREE VMware Instructional Videos Available at VMwareLearning.com

Over 50 FREE VMware Instructional Videos Available at VMwareLearning.com

VMware Education has released a new video site with over 50 of our free instructional videos, on products including: vSphere, vCloud Director, Site Recovery Manager (SRM), vFabric, and more. Now you can grow your IT skills with free training, expertise, and insights on VMware products, all in one convenient location.

Instructional Videos – freely accessible, these short technical videos allow VMware technical experts to provide tips and step-by-step instructions on product features, design best practices, configuring, deploying and running your virtual infrastructure.

Home

Administering VMware Site Recovery Manager 5.0 - Book Review

Administering VMware Site Recovery Manager 5.0
I received a copy of Mike Laverick's "Administering VMware Site Recovery Manager 5.0". This is a terrific book as the first book from VMware Press. Mike's has been providing terrific guides, white papers, and videos for years on his website RTFM Education.

To some the organization and presentation of this book may seem unconventional. Chapter 1 describes Site Recovery Manager, DR technologies, and addresses misconceptions of VMware technologies often thought of as DR technologies. Chapters 2 - 6 individually explain how to configure Dell, EMC Celerra, EMC CLARiiON, HP StorageWorks, and NetApp storage for VMware. Chapters 7 - 16 then cover the configuration and operation of VMware SRM. Chapters 1 plus one of 2 -6 make this book worthwhile to anyone installing a VMware solution with a SAN.

With my background being long in the teeth with networking and a little green in virtualization, Chapter 1 was most significant to me. I have been trying to understand the architectural differences and benefits of the different VMware technologies such as vMotion, High Availability Clusters, Fault Tolerance, and SRM.


Chapter 1, What is SRM, How Was DR Done Before SRM, and What VMware Technologies are Not DR

Chapter 1 provides an "Introduction to Site Recovery Manager". The chapter offers what is new in Site Recovery Manager 5.0 and, as Mike puts it, "what life was like before virtualization and before VMware SRM".

The original DR strategy was to have physical servers at the production and DR locations and rely on conventional backup and restore. For the next approach brought in virtualized servers, some suggested P2V technologies to synchronize physical servers with virtual servers. Either the production servers or the DR servers were virtualized. This approach requires the use of storage vendor's replication or snapshot technologies. This is needed to replicate the data files that make up the virtual machine's (VMX, VMDK, NVRAM, log, Snapshot, and/or swap files). Mike goes on to detail the other technology (changing IP addresses) and political issues (the storage group may not be the same people as the virtualization group) which need to be addressed. Again as Mike says, "It was again within this context that VMware engineers began working on the first release of SRM".

Next, this chapter discusses "What Is Not a DR Technology". The discussed VMware technologies provide some terrific benefits, and each have their place, but it is argued these should not be construed as DR Technologies.

As an example, some consider vMotion a DR technology. vMotion allows for virtual machines to be moved from one host to another. For vMotion to be remotely considered a DR technology, virtual servers need to be moved from one physical location to another. It is not acceptable DR design to have a DR data center within close proximity of a production data center (close enough to have your own fiber run, or where I live, to have two buildings along the same potential tornado path). To be considered a DR technology, vMotion needs to support moving virtual machines across some distance (I consider a minimum of 30 miles is necessary). Another necessary concept to understand is a vMotion is a planned event. That is, an administrator must initiate a vMotion, in a disaster scenario this is often not possible.

Finally (there is a lot in the 1st chapter) there is a discussion of the principles of storage management and replication. He does a great job of breaking through the "marketing speak" to generalize on the storage technologies most vendors support. In other words, Ford, GM, and Chrysler each offer Park, Reverse, Forward, and a radio, they may have entirely different methods of delivering these, but they all do it.


The Storage Vendors Chapters

Chapters 2 through 6 are dedicated to configuring specific vendors storage to work with VMware. Being somewhat new to VMware and also working in a place where I am exposed to multiple storage vendors, I really appreciated these chapters. These are great from those with limited experience configuring VMware to work with different vendors SANs. For me, these chapters were excellent. Mike provides terrific information for Dell, EMC, HP, and NetApp SAN platforms.While this doesn't cover every storage vendor, the basic principles apply to those not covered.



Installing, Configuring, and Customizing SRM
Chapter 7 explains installing SRM and thoroughly discusses planning and design, storage replication, and networking requirements. New VMware 5.0 features like automated failback, vSphere Replication, and bidirectional protection definitely add to the value and functionality of SRM. This chapter is very insightful for understanding the configuration of protected and recovery sites, storage replication planning and design, and configuring SRM workflow and recovery plans.

Mike walks the reader through the entire installation and configuration process with plenty of screenshots and real world examples. It is easy to follow along as he builds out a SRM solution. As the solution is built out, it covers advanced topics like customizations, scripting, and complex configurations.

The final chapter documents upgrading from SRM 4.1 to 5.0 which would be very helpful for readers still running VMware 4.1.



Summary
This is a terrific book from VMware Press. Mike Laverick has provided a well written and organized book. The chapters covering Dell, EMC, HP, and NetApp Storage Arrays are terrific. Administering VMware Site Recovery Manager 5.0 should be on the bookshelf of VMware and Storage admins.


Disclaimer: I received a complimentary copy of this book from VMware Press. I am not being compensated for this review. All views expressed are my own.