Friday, February 17, 2017

Cisco ASA NAT

Cisco ASA NAT 8.3+

IN Cisco ASA NAT is divided into 2 sections
  • Network Object NAT ( Auto NAT)   ----> object network is used here
  • Twice NAT ( Manual NAT)   ----> object network and object-group network used.
Static NAT :
Consider R1 as internal server. We are going to redirect traffic from internet hitting on public 110.110.10.2  to 172.16.2.1 for port 80.
This can be done in 2 parts
  • Do Static NAT
  • Restrict Port using an ACL on outside port
Static NAT :
object network webserver
host 172.16.10.2       --------------------------------> internal server IP
nat (inside,OUTSIDE) static 110.110.10.2 -------> public IP
You can now restrict traffic to inside server using an ACL.
Note : Outside interface IP of firewall cannot be used for NAT instead we have to use a IP in the same subnet of public IP.
Static PAT ( Port Address Translation)
In this Scenario lets assume that a inside webserver (172.16.20.2) which listens on port 80 wants all traffic  hitting on port 444 of firewall IP 110.110.10.3.
object network server-1
 host 172.16.20.2
 nat (dmZ,oUTSIDE) static 110.110.10.3 service tcp 80 80
Colour = real port
Colour = mapped port
Same can be achieved using firewall's outside interface IP :
object network server-1
 host 172.16.20.2
 nat (dmZ,oUTSIDE) static interface service tcp 80 80
Dynamic PAT
Here all the inside network hosts will use ASA's outside interface IP src while going to outside.
object network inside-hots
 subnet 172.16.10.0 255.255.255.0
 nat (inside,ouTSIDE) dynamic interface
If there is static NAT present for a specific host then it will get priority and it will be used for NATing for that specific host.
Dynamic NAT
Here while doing NATing instead of using outside interface IP we will use  a specific pool for NATing.
object network  IP-POOL
range 110.110.10.2 110.110.10.4
object network inside-hots
 subnet 172.16.10.0 255.255.255.0
 nat (inside,ouTSIDE) dynamic IP-POOL
Twice NAT (Manual NAT)
Twice NAT is having higher preference means before going to all other NAT  ASA will got through twice NAT.
In manual NAT we can use object network and object-group network
In
nat(inside,outside) 1 source  static  <object>  < object> destination  static  <object>  <object>
Colour = Original Source
Colour =  NATed Source
Colour = Original Destination
Colour = NATed destination.

Posted by at No comments:

Thursday, January 5, 2017

Cisco Anyconnect VPN Configuration

Any Connect VPN :

C:\Users\jees\AppData\Local\Temp\msohtmlclip1\02\clip_image001.jpg
ASA Details
Interface                        Name           IP address          Subnet mask     
GigabitEthernet0         outside        110.110.10.1     255.255.255.0   
GigabitEthernet1         inisde          192.168.22.10    255.255.255.0  
 Note : This configuration is based on a lab setup.
Outside PC
IP address 110.110.10.24
Create Network Object for inside and Anyconnect network ranges :
object network inside-net
subnet 192.168.22.0 255.255.255.0
object network anyconnect-net
subnet 10.0.0.0 255.255.255.0
using above network Objects define an twice NAT/ manual Nat to exempt traffic from NATing while going to Anyconnect client. If this NAT is not there then ASA will NAT the traffic from inside network towards the Anyconnect host.
nat (inisde,outside) source static inside-net inside-net destination static anyconnect-net anyconnect-net no-proxy-arp route-lookup
Create a access list for split tunneling
access-list anyconnect-acl standard permit 192.168.22.0 255.255.255.0
This access list is used in split tunneling. According to this access list all the traffic destined towards 192.168.22.0 network will be send via tunnel , all others will be send towards regular local network (NIC).
You can use an extended acl, which have destination as ‘any’.
Create local IP pool.
ip local pool anyconnect-pool 10.0.0.1-10.0.0.10 mask 255.255.255.0
When a Anyconnect host connects VPN it receives a local LAN IP which is defined in this pool. Try to not use inside network range in pool. Also make sure that pool range is within the subnet we specified earlier for Anyconnect pool object ( here it is Anyconnect-net). That’s because we want twice NAT to work when traffic goes from inside network to Anyconnect host.
Define a group policy :
group-policy anyconnect-policy internal
group-policy anyconnect-policy attributes
vpn-tunnel-protocol ssl-client ssl-clientless -------- this defines type of VPN
split-tunnel-policy tunnelspecified  ------------- this tells ASA that tunneling parameters will be specified for
split  tunnel.
split-tunnel-network-list value anyconnect-acl  ---- Split tunnel parameter is specified using the ACl we
created earlier.

Define Tunnel group :
tunnel-group anyconnect-grp type remote-access
tunnel-group anyconnect-grp general-attributes
address-pool anyconnect-pool  ---------- Pool we created earlier.
default-group-policy anyconnect-policy  --------- Associating the Policy we created earlier with the pool.
tunnel-group anyconnect-grp webvpn-attributes
group-alias STAFF enable
Define WebVPN setup :
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1 - This image pkg should be same as we installed in PC,
anyconnect enable
tunnel-group-list enable ---- Enables option for selecting from drop down.
Note : Its important to specify the installer pkg otherwise ASA will give a message ‘Anyconnect not enables in server’ even though we have enabled it.
Define a local user
username joe attributes
group-lock value anyconnect-grp
service-type remote-access

Posted by at 1 comment:
Subscribe to: Posts (Atom)