Double NAT on ASA 8.4 ? Thanks for GNS3

Posted on 20/12/2012 | Leave a comment

Yesterday, I received a task at work to resolve an VPN issue. It wasn’t a straight forward solution. The client want to create a new internet link via a new ASA firewall to connect to a pptp sitting inside of the network. The default route is still going to their old internet link. One suggestion is to create a double nat environment, but how? Thanks for GNS3, I have created a lab using GNS3 with ASA and Cisco 7200 to simulate the situation and was able to find a solution.

So what need to be done is to create double NAT on the ASA, in this way, I don’t have to change the default route.

Simple Network Diagram

C1 is the VPN Client, R1 is the ISP router, ASA is the firewall, R2 is the Core Switch and R3 is the PPTP server.

here are the interface configurations:
R1 G1/0 : 222.111.111.1
R1 G2/0 : 233.111.111.254
C1 : 233.111.111.5
ASA: G1/0 : 222.111.111.2 (Ouside)
ASA: G2/0 : 192.168.2.1 (Inside)
ASA NAT POOL : 192.168.11.1 – 192.168.11.254
R2: G1/0 : 192.168.2.2
R2: G2/0 : 192.168.10.1
R3: G1/0 : 192.168.10.18 (PPTP SERVER)
R3: VPN POOL : 192.168.5.1 – 195.168.5.254

R1 Configuration

int gi1/0
ip add 222.111.111.1 255.255.255.252
int gi2/0
ip add 233.111.111.254 255.255.255.0

R2 Configuration

int gi1/0
ip add 192.168.2.2 255.255.255.252
int gi2/0
ip add 192.168.10.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.2.1

R3 Configuration

int gi1/0
ip add 192.168.10.18 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.10.1

aaa new-model

aaa authentication login VPNAUTHEN local
aaa authorization network VPNAUTHOR local

vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15

interface Virtual-Template1
ip address 192.168.5.1 255.255.255.0
peer default ip address pool vpnpool
no keepalive
ppp authentication pap chap ms-chap ms-chap-v2
!
ip local pool vpnpool 192.168.5.2 192.168.5.255

ASA

interface GigabitEthernet0
nameif Outside
security-level 0
ip address 222.111.111.2 255.255.255.252
!
interface GigabitEthernet1
nameif Inside
security-level 100
ip address 192.168.2.1 255.255.255.252
!
object network pptp_inside
host 192.168.10.18
object network NAT_POOL
range 192.168.11.1 192.168.11.254
object service pptp
service tcp destination eq pptp
object network Inside-network
subnet 192.168.0.0 255.255.0.0
access-list Outside_access_in extended permit ip any any
access-list Inside_access_in extended permit ip any any
nat (Outside,Inside) source dynamic any NAT_POOL destination static interface pptp_inside service pptp pptp
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 222.111.111.1 1
route Inside 192.168.0.0 255.255.0.0 192.168.2.2 1
!
policy-map global-policy
class class-default
inspect pptp
set connection advanced-options tcp-state-bypass
!
service-policy global-policy global

What I want to achieve is from VPN Client (0.0.0.0) to connect (222.111.111.2), it will be translated to (192.168.11.x) and connect to 192.168.10.18. PPTP will be able to setup, while it won’t be affect people connect via the existing internet link.

Leave a comment

Posted in Network Engineering

Tagged , , , , ,

Deploying 2 Cisco ISE Nodes using the ISE NFR Kit

Posted on 11/09/2012 | Leave a comment

If you have read my previous post, I have successfully upgraded the ISE 1.0MR to ISE 1.1.1. using the Cisco Installation and Upgrade Guide. According to the Cisco ISE deployment guide, we should able to deploy a secondary node as long as your have the license on the Primary node.
Continue reading

Leave a comment

Posted in Network Engineering

Tagged , , ,

Problems with Mountain Lion running in Windows 7 VMware Workstation 9

Posted on 05/09/2012 | Leave a comment

I was using a Hackintosh on my previous Quad2core desktop before upgarde to i7 3630k. I need more processing power to setup my Cisco study lab. I need to learn about their ISE, the CUCM, CUPS, NCS, UCCX, etc. After I have a i7 3630k, I have decided run VMWare EXSi 5, however, for some reason, it doesn’t recognize my Network Card and I was unable to install VMware EXIs 5.

I have installed Windows 7 Professional 64 bit and purchased the VMWare Workstation 9 to run VM on top of windows. I am happy with the result so far. Having 4 – 6 VM running with CPU load at lower than 20% most of the time, I know I can run a few more VMs.

Since I was using a Hackintosh, I would like to setup a Mac OS VM and mount my old file system back.
Continue reading

Leave a comment

Posted in Mac Stuff

Tagged , , , , ,

Upgrade my desktop to i7 3930K

Posted on 03/09/2012 | Leave a comment

The Quad 2 core 2600 CPU with 8 Gb of memory is no longer good enough for me. With Cisco CCIE Voice study, I would like to setup some CISCO Voice related Lab at home. It may not a completed lab, but at least I would like to test some Cisco products so I can well prepared before I really need to work on some of its newest software.

As you may have seen my previous post about the Cisco ISE which runs on a VM. I was trying to have 2 ISE running as a primary and secondary node. However, due to lack of memory and CPU power, it runs very slow on the Quad2core system.

To learn new technology, you just have to invest time and money, without working on a real product, you will never know how it really work. Just like people tell you how to drive, you think you know how to drive, but you haven’t really driven a car, do you think you can drive it when you first jump into it?

Continue reading

Leave a comment

Posted in Network Engineering

Upgrade Cisco ISE 1.0MR NFR to 1.1.1

Posted on 29/08/2012 | Leave a comment

There is a document that comes with the ISE USB. It is an instruction about how to setup the Cisco Identity Services Engine (ISE) Not-For-Resale partner bundle in an ESXi lab environment and how you can upgrade it from 1.0MR to 1.1. The newest version on Cisco is 1.1.1, so I have followed the instruction and went from 1.0MR to 1.1.1 (aka 1.1MR).

The default VM setting on the ISE 1.0MR is 1 processor and 2GB ram. The ip address of the ISE is 10.10.10.70 and default gateway is 10.10.10.1. Using the predefined username and password given in the document, you will able to get into the CLI as well as the web GUI. (provided your have your virtual network adapter setup correctly for your hosted computer to talk to the virtual machine). In my case, I run the VM on my Hackintoch which using VMware Fusion 3. I have changed the VM setting to 2 processors and 4GB of ram.

To upgrade the ISE NFR form 1.0MR to 1.1.1, the first step is to download the update file from Cisco website. You will need your CCO account to obtain the update software. The file I have downloaded is ise-appbundle-1.1.1.268.i386.gz.

On my Hackintosh, I have enabled the web share and put the downloaded file in the web directory. After that, I log in the ISE by using SSH 10.10.10.70. The CLI of the ISE is similar to the Cisco IOS command, you can do show run to see the running configuration. To prepare for the upgrade, there are some configuration that you need to put in.

ISE/admin# conf t
ISE/admin (config)# repository iseupgrade
ISE/admin (config)# url http://10.10.10.1
ISE/admin (config)# end
ISE/admin# application upgrade ise-appbundle-1.1.1.268.i386.gz iseupgrade

After the install is complete, ISE will reboot. You can use this command “show version” to check the ISE version after the upgrade. It should be showing 1.1.1.268.

The next thing I am going to try is to setup 2 nodes using this NFR kit.

Leave a comment

Posted in Network Engineering

Tagged , , , ,

Cisco ISE 1.0 NFR VM

Posted on 29/08/2012 | 3 comments

All the new projects I am working on are related to Cisco ISE (Identity Service Engine). To understand this Cisco product better, apart from reading all the documents from cisco.com, I have also purchased the NFR kit from Cisco.

You can purchase a 8GB USB stick from Cisco that contain the ISE 1.0MR Vmware from Cisco Marketplace. The ISE 1.0 NFR kit is free, but the 8GB USB will cost you USD$24.99 + Shipping.

It comes with 20 permanent advanced licenses and you can upgrade this NFR ISE from 1.0 to 1.1.1.

Update: you can upgrade the NFR kit from 1.0 to 1.1.2

3 Comments

Posted in Network Engineering

Tagged , , , ,

Lightroom 4 workshop

Posted on 25/08/2012 | Leave a comment

I went to a Lightroom 4 Workshop for 2 days and learned something new. Now I know how to apply the filter to bring some light back in some of the area in a photo!

Before

After

Leave a comment

Posted in Photography

Cisco Zone Base Firewall and HSRP

Posted on 24/08/2012 | Leave a comment

I was working on a project which involved with 2 routers which also act as a firewall. The reason for that is because someone want to replace a standalone Cisco PIX firewall with 2 x routers to improve the availability as well as security.

I really not sure who come up with this idea. It gave me enough headache during the implementation process. The challenges are :
– The zone base firewalls on the routers cannot work in a cluster mode like a Cisco ASA
– The multiple WAN interfaces with EIGRP/OSPF routing process will break the data throw direction
– A stateful failover cannot be setup.

<--more-->

To achieve this setup, I have use EEM script to detect HSRP syslog message for a failure and the EEM script to remove the routing process on the route which the link is failed and enable the routing process on the router that become active.

I have spent a lot of time to work out this “solution”. Provided I have to use the pre-selected hardware to reach the high availability requirement. I believe what I have done is good enough to meet the client’s expectation while they don’t need to buy new hardware. To be honest, they should really get a firewall instead of 2 3900 series routers to work as a firewall.

Leave a comment

Posted in Network Engineering

Tagged , , ,

Cisco licensing make me crazy

Posted on 11/07/2012 | Leave a comment

I am getting sick of finding what license I need for this and for that. Working on a IP Telephony project using Cisco CUCM with a lot of its associated products, such as Unified Messaging, Contact Center….. The number of license… and also the type of license… is more than enough to make me crazy.

A Cisco Representative told me that if I want to setup sip trunk on the CUCM, I need to get license. However, I remember CUCM support SIP trunk, you can actually setup a SIP trunk to another PBX/SIP Server in the CUCM GUI. Oh… another Cisco Representative told me that , I need a license when I setup a SIP trunk on a gateway. – Border Element License….

Damn, after all the trouble…. I think it will be a lot easier to setup an Asterisk box to achieve what need to be done….. Why Cisco make this so hard?

Leave a comment

Posted in Network Engineering

Tagged , , ,

CUCM and Cisco Unity Connection

Posted on 09/07/2012 | 3 comments

I haven’t touched Cisco VOICE product ever since 2008. The last time I used CUCM (it was called CCM) was in 2008 while Cisco Call Manager was still in version 4.3. Technology has changed a lot since, Cisco has released CUCM 5, 6, 7, 8. and by end of 2012, they are releasing CUCM Version 9.

I think it’s time for me to catch up the technology. I am not going to do a CCIE Voice, however, I have to at least make myself familiar with the CUCM product. Hence, I have asked the company to get a NFR CUCM Kit for me to play with.

I have installed the CUCM 8.6 and Cisco Unity Connection on the VMware fusion 4 (for Mac OS). It was a bit tricky when I trying to install the Unity Connection, as it keep on saying the Hardware (VM Setting) doesn’t support it. If you are looking at setup a Cisco Voice Lab, I suggest to use the following setting.

For CUCM 8.6.
– 1 core CPU
– 2 gb memory
– 76 gb of HDD

For Unity Connection
– 2 core CPU
– 4 gb memory
– 200 gb of HDD
– 200 gb of HDD (you need 2 HDD, otherwise, you cannot install Unity Connection)

You can see the different of the setup screen if you have different Hardware setting.

3 Comments

Posted in Network Engineering

Tagged , ,