Friday, December 28, 2012

NAT on ASA 8.4 - Twice NAT depends on Destination

Twice NAT is the type that allows you to set a nat rule based on both source and destination information. When a host connects to dest X, the source address should be translated to A but it will be translated to B when connects to dest Y.


Configuration:
Step1: Create an object for inside network
ASA84# show run object
object network LAN
 subnet 192.168.1.0 255.255.255.0
Step2: Add an object for dmz hosts, I firstly create object for FTP host called FTP-SERVER. This is real IP address of FTP server.
ASA84# show run object
object network FTP-SERVER
 host 172.16.1.10
 Step3: Add an object for mapped IP address, in this case I use 172.16.1.13 for FTP server and name the object PAT1

ASA84# show run object
object network PAT1
 host 172.16.1.13
Step4: Configure nat function inside PAT1 object
ASA84# show run nat | grep PAT1
nat (inside,dmz) source dynamic LAN PAT1 destination static FTP-SERVER FTP-SERVER
In this command, I use dynamic nat for source address:
    -LAN: the real source address.
    - PAT1: mapped source address.
    -destination: options for dest address, because the destination address is not changed, so last two options are the same.
    -FTP-SERVER (1st): mapped destination address.
    -FTP-SERVER (2nd): real destination address.

Similar steps to SSH-SERVER:

Object for SSH server:
ASA84(config)# show run object
object network SSH-SERVER
 host 172.16.1.15
172.16.1.14 is the mapped address for ssh connections from LAN.
ASA84(config)# show run object
object network PAT2
 host 172.16.1.14
NAT command inside PAT2
ASA84(config)# show run nat | grep PAT2
nat (inside,dmz) source dynamic LAN PAT2 destination static SSH-SERVER SSH-SERVER
Verify SSH connection:


FTP connection:

Posted by at 1 comment:
Labels: , , , ,

Thursday, December 27, 2012

NAT on ASA 8.4 - Static NAT with port translation

Imagine when you have dmz zone with multiple servers, each server runs a service and you have only one public IP address. Now you want to share that IP address to all services running in dmz zone. In this case, you should use the NAT rules use the same address but with different ports.
In above figure, single IP address used to share two services running on 2 separate servers in dmz zone. It requires that, when have a ftp connection to 113.22.14.3, the request will be directed to ftp server on 172.16.1.10, and when a ssh connection to the same public address, request will be redirected to ssh server on 172.16.1.15.



Configuration:

2 objects for servers in dmz zone:
ASA84(config)# show run object
object network SSH-SERVER
 host 172.16.1.15
object network FTP-SERVER
 host 172.16.1.10
 nat command for each object
ASA84(config)# show run nat
!
object network SSH-SERVER
 nat (dmz,outside) static 113.22.14.3 service tcp ssh ssh
object network FTP-SERVER
 nat (dmz,outside) static 113.22.14.3 service tcp ftp ftp
access list for particular connection
ASA84(config)# show run access-li
access-list ALLOW-INTERNET-DMZ extended permit tcp any object SSH-SERVER eq ssh
access-list ALLOW-INTERNET-DMZ extended permit tcp any object FTP-SERVER eq ftp
access-group to interface
ASA84(config)# show run access-group
access-group ALLOW-INTERNET-DMZ in interface outside
ASA84(config)#
Verifying:
SSH connection from INTERNET host to 113.22.14.3:


 FTP connection from INTERNET to 113.22.14.3:

You can see here: 227 Entering Passive Mode (172,16,1,10,288,222). Funny stuff, hah? ;-)
Posted by at No comments:
Labels: , , , , ,

NAT on ASA 8.4 - Dynamic NAT

In previous post, I talked about how to configure static NAT on ASA 8.4 in the case public an inside server for accessing from Internet. In this post, I'll show you how to configure NAT in the case that you allow users in LAN to access to Internet. I assume you have a range of public ip addresses. This type of NAT called Dynamic NAT.

In details:
-Internal subnet: 192.168.1.0/24
-Public addresses range: 113.22.14.20 - 113.22.14.30
-Security level:
   +inside: 100
   +dmz: 50
   +outside: 0

Scenario: 


INSIDE host will serve as an internal host with IP address: 192.168.1.2/24

Step 1: Define network objects, one for LAN, one for public IP addresses
ASA84(config)# show run object
object network PUBLIC-RANGE
 range 113.22.14.20 113.22.14.30
object network LAN-RANGE
 subnet 192.168.1.0 255.255.255.0
ASA84(config)#
Step 2: Create NAT on LAN-RANGE object, using dynamic keyword
ASA84(config)# show run nat
!
object network LAN-RANGE
 nat (inside,outside) dynamic PUBLIC-RANGE
 
In here, PUBLIC-RANGE is an predefined object used to serve IP addresses for LAN-RANGE.

Step 3: Create an access list and apply to particular interface.
ASA84(config)# SHOW RUN ACCESS-List
access-list ALLOW-LAN-INTERNET extended permit tcp object LAN-RANGE any
access-list ALLOW-LAN-INTERNET extended deny tcp any any log
ASA84(config)#
Test connections from INSIDE host.

As you can see here, host from inside zone using 113.22.14.27 - an address in configured range.

Posted by at No comments:
Labels: , , , ,

Wednesday, December 26, 2012

NAT on ASA 8.4 - Static NAT

In the case you want to public an inside server to the Internet, only one public address is provided you should use static NAT on ASA for the one-to-one map. This guide you help you to configure static NAT on ASA 8.4.

In details:
-Inside server:  running sshd service (DMZ2 host) on port 22. IP address: 172.16.1.15
-Public IP address provided: 113.22.14.3
-Security level:
     +inside: 100
     +dmz: 50
     +outside: 0

Scenario:

Step 1: Define a network object contains SSH server
ASA84(config)# show run object
object network SSH-SERVER
 host 172.16.1.15
Step 2: Configure NAT inside the created object
 ASA84(config)# show run nat
!
object network SSH-SERVER
 nat (dmz,outside) static 113.22.14.3
ASA84(config)#
Note: the nat function is created inside the object network. So you have to enter that object again and make the nat command. In above nat command, dmz is the source zone/interface of SSH server, outside is the dest zone. It means, the packets arrive from dmz zone to outside will be translated source address to 113.22.14.3.

Done! You've just completed configuring nat function on ASA. To really let it works, next step is to create an access list to allow connections from Internet to dmz zone.

Step 3: Create an access list for incoming connection from Internet
ASA84(config)# show run access-list                                        
access-list ALLOW-SSH extended permit tcp any host 172.16.1.15 eq ssh
To limit number of connections, I just allow ssh connections to server by using "eq ssh" key word.

 Step 4: Apply access list to interface. I use input direction to outside interface
ASA84(config)# show run access-group
access-group ALLOW-SSH in interface outside


Verify configuration


Make a connection from Internet host to 113.22.14.3
 You can see here, DMZ-SSH server has 2 connections and one from 113.22.14.2 (Internet host).
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)