Friday, February 17, 2017

Cisco ASA NAT

Cisco ASA NAT 8.3+

IN Cisco ASA NAT is divided into 2 sections
  • Network Object NAT ( Auto NAT)   ----> object network is used here
  • Twice NAT ( Manual NAT)   ----> object network and object-group network used.
Static NAT :
Consider R1 as internal server. We are going to redirect traffic from internet hitting on public 110.110.10.2  to 172.16.2.1 for port 80.
This can be done in 2 parts
  • Do Static NAT
  • Restrict Port using an ACL on outside port
Static NAT :
object network webserver
host 172.16.10.2       --------------------------------> internal server IP
nat (inside,OUTSIDE) static 110.110.10.2 -------> public IP
You can now restrict traffic to inside server using an ACL.
Note : Outside interface IP of firewall cannot be used for NAT instead we have to use a IP in the same subnet of public IP.
Static PAT ( Port Address Translation)
In this Scenario lets assume that a inside webserver (172.16.20.2) which listens on port 80 wants all traffic  hitting on port 444 of firewall IP 110.110.10.3.
object network server-1
 host 172.16.20.2
 nat (dmZ,oUTSIDE) static 110.110.10.3 service tcp 80 80
Colour = real port
Colour = mapped port
Same can be achieved using firewall's outside interface IP :
object network server-1
 host 172.16.20.2
 nat (dmZ,oUTSIDE) static interface service tcp 80 80
Dynamic PAT
Here all the inside network hosts will use ASA's outside interface IP src while going to outside.
object network inside-hots
 subnet 172.16.10.0 255.255.255.0
 nat (inside,ouTSIDE) dynamic interface
If there is static NAT present for a specific host then it will get priority and it will be used for NATing for that specific host.
Dynamic NAT
Here while doing NATing instead of using outside interface IP we will use  a specific pool for NATing.
object network  IP-POOL
range 110.110.10.2 110.110.10.4
object network inside-hots
 subnet 172.16.10.0 255.255.255.0
 nat (inside,ouTSIDE) dynamic IP-POOL
Twice NAT (Manual NAT)
Twice NAT is having higher preference means before going to all other NAT  ASA will got through twice NAT.
In manual NAT we can use object network and object-group network
In
nat(inside,outside) 1 source  static  <object>  < object> destination  static  <object>  <object>
Colour = Original Source
Colour =  NATed Source
Colour = Original Destination
Colour = NATed destination.

Posted by at No comments:
Subscribe to: Posts (Atom)