Cilinder.be

икони цениикониThe Cisco documentation (for example this) explains how to do policy based source NATting on a Cisco ASA device. However, it doesn’t explain how to do the same for edfaдиваниpolicy based destination NAT. A colleague (hi, Kristof! :P) and me have been trying to get policy based static destination NATting working an on ASA.

First of all, policy or host-based static source NAT translates the source of a connection to another ip address when connecting to a specific host. This specific NATting is explained in the Cisco document.

For example, let’s assume host 192.168.10.1 (’behind’ the inside interface of the ASA) wants to connect to host 10.0.10.1 (on the dmz interface of the ASA) and we want the source (192.168.10.1) to be translated to 172.16.10.1, but only for this specific connection.

On the ASA, the following will do the trick:

asa(config)# access-list nat-me permit ip host 192.168.10.1 host 10.0.10.1
asa(config)# static (inside,dmz) 172.16.10.1 access-list nat-me

The real source IP address (192.168.10.1) is translated to 172.16.10.1 only if traffic is destined for 10.0.10.1. The same static entry will also change the destination address from 172.16.10.1 to 192.168.10.1 if traffic is sourced from host 10.0.10.1. So far so good.

However, suppose we want to connect from 192.168.10.1 to 10.0.10.1. However, for the sake of argument, we cannot connect directly to 10.0.10.1 because of a company policy saying that we cannot use or see any 10.0.0.0/8 address on the inside network. We can use another address, namely 172.16.10.1. So we want 192.168.10.1 to connect to 172.16.10.1 which is translated on the ASA to the real ip address, 10.0.10.1 in the dmz interface. So instead of policy based source NATting, we are going to create a policy based destination NAT.

On the ASA, we have to configure the following:

asa(config)# access-list nat-me permit ip host 10.0.10.1 host 192.168.10.1
asa(config)# static (dmz,inside) 172.16.10.1 access-list nat-me

This will do 2 things:
1. If 192.168.10.1 makes an outbound connection to 172.16.10.1, the destination 172.16.10.1 will be NATted to 10.0.10.1.
2. All traffic arriving inbound on the dmz interface coming from 10.0.10.1 destined for 192.168.10.1, will be source NATted behind 172.16.10.1.

The syntax is a little weird, but it does seem to work :)

As an extra, if we do the following:

asa(config)# access-list nat-me permit ip host 10.0.10.1 host 192.168.10.1
asa(config)# static (dmz,inside) 172.16.10.1 access-list nat-me
asa(config)# access-list nat-me permit ip host 10.0.10.2 host 192.168.10.1
asa(config)# access-list nat-me permit ip host 10.0.10.3 host 192.168.10.1

The following will happen:
1. If 192.168.10.1 makes an outbound connection to 172.16.10.1, the destination 172.16.10.1 will be NATted to 10.0.10.1. It will never be natted to 10.0.10.2 or 10.0.10.3 as far as we’ve been able to tell.
2. All traffic arriving inbound on the dmz interface coming from 10.0.10.1, 10.0.10.2 or 10.0.10.3 destined for 192.168.10.1, will be source NATted behind 172.16.10.1.

Note:лаптоп If you want to add multiple access-list rules (as in our last example), you’ll have to add them after you’ve put in the static, otherwise you’ll get an error when trying to add those extra access-lists…

Have fun!

Laurens ASA, Cisco, NAT, Tips, Tricks

I’ve found an undocumented feature of the “grep” command and related regular expressions on the Cisco ASA that’s very useful.

For example, suppose you want to check the ASA configuration for all “http” and “ssh” statements which contain an ip address in the 10.1.12.0/24 and the 10.1.13.0/24 range.

You can then do “show running-config | grep ssh” and look through each entry, then again for http: “show running-config | grep http“. Or another possibility is to grep on a part of the ip address: “show running-config | grep 10.1.1“, but this will also show routes and access-lists with this ip address.

If we expand this more to include both say “ssh” and the ip address, we come to the following command: “show running-config | grep ssh.*10.1.1“. This will show all lines with “ssh” and “10.1.1″ in it. We still have to run 2 commands then (remember, one for “ssh” and one for “http”).

What if we want to do this in only 1 command? This is where the undocumented feature kicks in. On unix/linux, there’s an egrep command which includes an alternation, “|”, and subexpression, “()”, regular expression. It turns out that both these special characters also work on the ASA even though they are not documented in the command reference!

If we put this all together, we can then do the following:

“show running-config | grep ^(ssh|https).*10.1.1” and the output will show both the “ssh” and “http” lines with 10.1.1 in it. The (ssh|http) expression just means that the line should include ssh OR http. Note that I also used a ^ which means as much as “each line beginning with the following character”. To make the above search expression even more correct, we can escape the dots with a backslash, “\”.

The complete command becomes “show running-config | grep ^(ssh|https).*10\.1\.1” and reads: “Show me each line in the running configuration beginning with either ssh OR https and also 10.1.1 further in that line”.

If you have any additional questions about regular expressions on the Cisco ASA, don’t hesitate to ask :) Have fun!

Laurens ASA, Cisco, Tips, Tricks Cisco ASA grep search, regex regular expression

This is still very much a work in progress, so things might change. If you have suggestions or comments, they are more than welcome ;).

This will be how to on setting up minimal Slackware 12.0 VServer guests on a Slackware 12.0 host. I’ve been trying to find a decent guide on how to do this, but almost all documentaton was either insufficient or heavily outdated. Even the Linux-VServer.org documentation is rather lacking in my opinion…
Before we start, you will need a kernel which has been patched to work with Linux-VServer and the util-vserver software. I’ve created a couple of simple scripts to aid in setting up minimal Slackware guests: http://www.cilinder.be/slackware/12.0/svs-0.1.tar.gz.
Read more…

Laurens Slackware Slackware

A man in a hot air balloon realised he was lost. He reduced altitude and spotted a woman below. He descended a bit more and shouted, “Excuse me, can you help me? I promised a friend I would meet him an hour ago, but I don’t know where I am.”

The woman below replied, “You’re in a hot air balloon hovering approximately 30 feet above the ground. You’re between 40 and 41 degrees north latitude and between 59 and 60 degrees west longitude.”

“You must be an engineer,” said the balloonist.

“I am,” replied the woman, “How did you know?”

“Well,” answered the balloonist, “everything you told me is technically correct, but I’ve no idea what to make of your information, and the fact is I’m still lost. Frankly, you’ve not been much help at all. If anything, you’ve delayed my trip.”

The woman below responded, “You must be in Management.”

“I am,” replied the balloonist, “but how did you know?”

“Well,” said the woman, “you don’t know where you are or where you’re going. You have risen to where you are due to a large quantity of hot air. You made a promise, which you’ve no idea how to keep, and you expect people beneath you to solve your problems. The fact is you are in exactly the same position you were in before we met, but now, somehow, it’s my fault.”

Unfortunately, this is the way it usually is… :)

Laurens Fun, Quotes

I sometimes use a second monitor on my laptop. However, upon using only one monitor again, some programs don’t go back to the desktop, they appear off-screen. Seen that your mouse pointer doesn’t go off-screen, it’s difficult to move those windows back to your main screen. A simple way to do this is the following:
Use alt+tab to select the window you want to move, press alt+space, then m, then an arrow key and then move your mouse, which has the window attached to it, to your main screen.

Laurens Tips, Tricks, Windows Tips, Tricks, Windows

If you’re wondering which blog platform and plugins are used here, wonder no more. I used Wordpress with the following plugins: K2 advanced template for Wordpress (customized not to show any version numbers on this site), Admin-SSL for securing login and admin pages with SSL and Spam Karma 2 to stop all forms of automated Blog spam effortlessly (hopefully :)).

Laurens Wordpress

Instead of manually editing pages, I’ve moved to a blog/CMS style website. Yes, I have a blog now… First post!

I’ll be gradually moving over all the old pages to here. The old site is still more or less accessible through http://www.cilinder.be/old_site2.

Laurens Wordpress