Showing posts with label Dynamic NAT. Show all posts
Showing posts with label Dynamic NAT. Show all posts

Friday, December 28, 2012

NAT on ASA 8.4 - Twice NAT depends on Destination

Twice NAT is the type that allows you to set a nat rule based on both source and destination information. When a host connects to dest X, the source address should be translated to A but it will be translated to B when connects to dest Y.


Configuration:
Step1: Create an object for inside network
ASA84# show run object
object network LAN
 subnet 192.168.1.0 255.255.255.0
Step2: Add an object for dmz hosts, I firstly create object for FTP host called FTP-SERVER. This is real IP address of FTP server.
ASA84# show run object
object network FTP-SERVER
 host 172.16.1.10
 Step3: Add an object for mapped IP address, in this case I use 172.16.1.13 for FTP server and name the object PAT1

ASA84# show run object
object network PAT1
 host 172.16.1.13
Step4: Configure nat function inside PAT1 object
ASA84# show run nat | grep PAT1
nat (inside,dmz) source dynamic LAN PAT1 destination static FTP-SERVER FTP-SERVER
In this command, I use dynamic nat for source address:
    -LAN: the real source address.
    - PAT1: mapped source address.
    -destination: options for dest address, because the destination address is not changed, so last two options are the same.
    -FTP-SERVER (1st): mapped destination address.
    -FTP-SERVER (2nd): real destination address.

Similar steps to SSH-SERVER:

Object for SSH server:
ASA84(config)# show run object
object network SSH-SERVER
 host 172.16.1.15
172.16.1.14 is the mapped address for ssh connections from LAN.
ASA84(config)# show run object
object network PAT2
 host 172.16.1.14
NAT command inside PAT2
ASA84(config)# show run nat | grep PAT2
nat (inside,dmz) source dynamic LAN PAT2 destination static SSH-SERVER SSH-SERVER
Verify SSH connection:


FTP connection:

Posted by at 1 comment:
Labels: , , , ,

Thursday, December 27, 2012

NAT on ASA 8.4 - Dynamic NAT

In previous post, I talked about how to configure static NAT on ASA 8.4 in the case public an inside server for accessing from Internet. In this post, I'll show you how to configure NAT in the case that you allow users in LAN to access to Internet. I assume you have a range of public ip addresses. This type of NAT called Dynamic NAT.

In details:
-Internal subnet: 192.168.1.0/24
-Public addresses range: 113.22.14.20 - 113.22.14.30
-Security level:
   +inside: 100
   +dmz: 50
   +outside: 0

Scenario: 


INSIDE host will serve as an internal host with IP address: 192.168.1.2/24

Step 1: Define network objects, one for LAN, one for public IP addresses
ASA84(config)# show run object
object network PUBLIC-RANGE
 range 113.22.14.20 113.22.14.30
object network LAN-RANGE
 subnet 192.168.1.0 255.255.255.0
ASA84(config)#
Step 2: Create NAT on LAN-RANGE object, using dynamic keyword
ASA84(config)# show run nat
!
object network LAN-RANGE
 nat (inside,outside) dynamic PUBLIC-RANGE
 
In here, PUBLIC-RANGE is an predefined object used to serve IP addresses for LAN-RANGE.

Step 3: Create an access list and apply to particular interface.
ASA84(config)# SHOW RUN ACCESS-List
access-list ALLOW-LAN-INTERNET extended permit tcp object LAN-RANGE any
access-list ALLOW-LAN-INTERNET extended deny tcp any any log
ASA84(config)#
Test connections from INSIDE host.

As you can see here, host from inside zone using 113.22.14.27 - an address in configured range.

Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)