ASA 8.4(2) under OSX 10.8

One of my most popular blogs on Cisco Inferno is the ability to install and run an ASA firewall by Cisco on GNS3. Since then I have shifted to a Macbook Pro and want to run everything in OSX. I have been using GNS3 inside a Windows VM for a while but that is a waste of resource and more. I have yearned for lack of a better word for a way to run everything natively in OSX. Today is the day I share with you how to do this. The requirements are as follows.

  • A working ASA 8.4 image – (extracted as per previous ASA post)
  • OSX 10.8 – (I’ve tested this but 10.7 may work)
  • QEMU 11.0 
  • GNS3 0.8.4RC2 

Download and install GNS3 from Sourceforge. This is the latest version from May. It will update the look, feel, and importantly some behind the scenes features. This is rather straight forward.
Next it is time to download the modified QEMU 11.0. Install this self extracting QEMU instance. It is pre-compiled and works with OSX 10.8. It has been patched to support JUNOS devices too.

Now set the path to QEMU as the value below.

/usr/local/bin/QEMU-system-i386

Set your path to the Qemu-img to what is listed below.

/usr/local/bin/qemu-img

So now you have directed GNS3 to the QEMU install you extracted previously, now test. Your results should look like they do below.

Screen Shot 2013-05-12 at 5.09.25 PM

Now jump over to the ASA tab. This version of GNS3 has better support for QEMU instances. It actually pre populates fields. From the first drop down menu, Preconfiguration, ensure ASA 8.4(2) is selected. I set my RAM to 1024. Note QEMU options and Kernel command line options are filled. Unlike previously where you had to define them, GNS3 now does this for you.

Screen Shot 2013-05-12 at 5.08.54 PM

Now time to select your ASA images.

Initrd

/Users/pandom_/Documents/GNS3/Images/asa842-initrd.gz

ASA Kernel

/Users/pandom_/Documents/GNS3/Images/asa842-vmlinuz

Voila. Now click save and close the preferences pane. Select from the side tab of devices, Security Devices, and drag onto your canvas an ASA firewall. Click the play button and watch it start up. You will have two QEMU windows open. These may appear as not responding but whilst they are open, your ASA runs. If you do close them the ASA will disable itself and turn off so do not do this

Screen Shot 2013-05-12 at 5.43.50 PM

Here it is. My final topology. Connect to them all via console (left of the play button) and enjoy the study.

You, Me and NAT 8.3

NAT on ASA 8.3 and higher

It is important to know that the change from 8.2 to 8.3 was massive. It did divide ASA users to a point some felt cheated or disheartened by Cisco’s actions. I admittedly picked it up rather quickly though others who are been using the family for years had a tougher time. The biggest change comes in the syntax. ASA 8.3 and higher leverages the use of object-orientated configuration which allowed the overcoming of 8.2 caveats. The biggest bonus is the ability to scale firewall rule bases. Other features such as the keyword any, defining translations as objects, and ACL, MPF, AAA features matching the real/un-translated address.

Order of Operations – 8.3 and higher ASA

  1. Manual NAT
  2. Auto NAT
  3. Manual NAT after Auto

It is important to understand that NAT translations are now treated much like an access-list. It is best to place the most specific rules at the top and lease specific towards the bottom.

Configuring Auto NAT – 8.3 ASA

This new version of NAT is easiest to configure. It also goes by the name of Object NAT. There are three types of auto NAT configurations.

  1. Static NAT – one to one translation for static hosts. Adds in  a permanent connection entry.
  2. Dynamic NAT – allows multiple uses of single pool of addresses. PAT is used when address pool is full.
  3. Dynamic PAT – allows multiple addresses to use one or more  translated addresses simultaneously.

Auto NAT – Static NAT – 8.3 ASA

The configuration of Static NAT in the 8.3 software is very different but very scalable.

object network internal-mail
host 192.168.16.23
object network internal-mail-outside
host 203.66.23.84
object network internal-mail
nat (inside,any) static internal-mail-outside

Here we define two objects. internal-mail and internal-mail-outside with their respective IP addresses. We then define under internal-mail the NAT we want to take place. The ASDM configuration window resides at Configuration > Firewall > Objects > Network Objects/Groups.

Auto NAT – Dynamic NAT – 8.3 ASA

Dynamic Translations of NAT in 8.3 again utilize objects. A subnet is defined here opposed to a 1:1 mapping of addresses like static NAT.

object network 172.16.23.0_NET
subnet 172.16.23.0 255.255.255.0
nat (inside,outside) dynamic interface

The object we define in this part is actually an entire subnet. We are allowing the subnet 172.16.23.0/24 to be natted to the IP address of the outside interface. This type of NAT is generally what is applied to an end-user subnet. The ASDM configuration window resides at Configuration > Firewall > Objects > Network Objects. Select Network Object from the dropdown. When filling out the information it is important to tick Add Automatic Address Translation Rules.

Manual NAT – 8.3 ASA

Manual NAT takes precedence over auto NAT in the translation table. Manual NAT can also be configured to be processed after auto NAT. This allows for a fall back scenario and deterministic failover. It can be configured on both source and destination IP addresses; this is known as Twice NAT.

object network 10.10.1.0_NET
subnet 10.10.1.0 255.255.255.0
object network 65.242.123.97_outside
host 65.242.123.97
object network 184.63.22.23_MAIL
host 184.63.22.23
nat (inside,outside) source dynamic 10.10.1.0_NET 65.242.123.97_outside destination static 184.63.22.23_MAIL 184.63.22.23_MAIL

So what is happening here? First we begin by translating packets from the inside to outside with (inside,outside). Source dynamic translate the source IP with dynamic translation. 10.10.1.0_NET 65.242.123.97_outside will translate source IP packets defined in the object 10.10.1.0_NET to global addresses defined by the object 65.242.123.97_outside. Destination static defines destination IP translation as static and the object 184.63.22.23_MAIL is the destination IP that is set to not be translated.

The ASDM configuration window resides at Configuration > Firewall > NAT Rules > and select the Add NAT Rule Before “Network Object” NAT dropdown.

Twice NAT – Source and Destination NAT

There are occasions where RFC 1918 addresses overlap. When they do Twice NAT has its place. Lower ranges in this address space are commonly used by all kinds of networks; Twice NAT can be configured to avoid this.

object network INSIDE-CUSTA-NET
subnet 192.168.1.0 255.255.255.0
object network 192.168.10.11_PAT
host  192.168.10.11
object network 192.168.10.0_NET
network 192.168.10.0 255.255.255.0
object network 192.168.11.0_NET
network 192.168.11.0 255.255.255.0
nat (inside,CUST_A) source dynamic INSIDE-CUSTA-NET 192.168.10.11_PAT destination static 192.168.1.0_NET 192.168.11.0_NET


After defining our objects we then apply the NAT statement. The traffic that now flows from the interface inside to CUST_A is now subject to translation rules. The dynamic source of the translation is the object network INSIDE-CUSTA-NET to network defined by 192.168.10.11_PAT. Destination static will translate the destination IP address using static translations. 192.168.1.0_NET 192.168.11.0_NET will translate addresses that are defined by 192.168.11.0_NET to addresses defined by 192.168.1.0_NET.

The ASDM configuration window resides at Configuration > Firewall > NAT Rules > and select the Add NAT Rule Before “Network Object” NAT dropdown.

Manual NAT after Auto NAT – 8.3 ASA

This type of NAT allows for translations after not meeting the criteria of more specific matches.

nat (any,outside) after-auto 1 source dynamic 192.168.16.0_NET 203.86.14.0_NET_OUT

The biggest difference in this command is the after-auto. This is what sets it to translate after auto NAT has been processed. The ASDM configuration window resides at Configuration > Firewall > NAT Rules > and select the Add NAT Rule After “Network Object” NAT dropdown.

Directional NAT

Directional NAT translations are based upon the direction of the request. If the source object that is defined makes a request it is only translated once. By default a NAT translation occurs both ways.

nat (inside,dmz14) source static MAIL-14-INT MAIL-14-EXT unidirectional

The keyword unidirectional is what allows this function to take place. The ASDM configuration window resides at Configuration > Firewall > NAT Rules > Edit NAT Rule.

NAT Caveats

It is important to know where NAT can be used and where NAT will cause headaches. The list below is situations where NAT will cause you to have a bad day.

  • Embedded IP addressing
  • End-to-end encryption
  • Authenticated IP packets
    • IP headers
    • TCP headers
    • IPSEC
  • 8.2 ASA NAT changes configuration of ACL, AAA, MPF due to the fact 8.2 references the post-NAT IP.