* Original source IP address (and port) in the packet
* Interface where the original packet enters the ASA (ingress interface)
* Interface where the packet will exit the ASA (egress interface)
* Translated address (and, optionally, port) to insert into the packet
Dynamic inside PAT creates many-to-one translations, allowing several local (original) IP addresses to share a single global (translated) IP address. It does so by creating a temporary translation of both the original IP address and the original source port number to a global IP address and unique global port number, for each translated session. These translations are created and added to the translation table for each outbound TCP or UDP session requiring PAT. These are removed from the NAT table when the OSI Layer 4 session closes.
You can define an available IP address, or you can use of the ASA's IP address on the egress interface. Using the ASA interface IP is particularly usefeul in environments where you are provided with only one IP address (usually dynamic) by an ISP.
Dynamic PAT is typically used for client hosts that need outbound connectivity only, and when there are not enough global IP addresses available to assign a unique global address to each local host.
ASA802(config)# nat ?
configure mode commands/options:
( Open parenthesis for the name of the network interface where the
hosts/network designated by the local IP address are accessed
ASA802(config)# nat (?
configure mode commands/options:
Current available interface(s):
inside Name of interface Ethernet0/1
outside Name of interface Ethernet0/0
ASA802(config)# nat (inside) ?
configure mode commands/options:
<0-2147483647> The <nat_id> of this group of hosts/networks. This <nat_id>
will be referenced by the global command to associate a
global pool with the local IP address. <nat_id> '0' is used
to indicate no address translation for local IP. The limit is
65535 with access-lists
ASA802(config)# nat (inside) 1 ?
configure mode commands/options:
Hostname or A.B.C.D The hosts/networks in this <nat_id> group, '0' indicates
all networks or the default <nat_id> group
access-list Specify access-list name after this keyword
ASA802(config)# nat (inside) 1 10.1.1.0 ?
configure mode commands/options:
A.B.C.D IP netmask to apply to the local IP address
<cr>
ASA802(config)# nat (inside) 1 10.1.1.0 255.255.255.0 ?
configure mode commands/options:
<0-65535> The maximum number of simultaneous TCP connections the local IP
hosts are to allow, default is 0 which means unlimited
connections. Idle connections are closed after the time
specified by the timeout conn command
dns Rewrite DNS address record
norandomseq Disable TCP sequence number randomization
outside Enable Outside NAT
tcp Configure TCP specific parameters
udp Configure UDP specific parameters
<cr>
ASA802(config)# nat (inside) 1 10.1.1.0 255.255.255.0 tcp ?
configure mode commands/options:
<0-65535> The maximum number of simultaneous TCP connections the local IP
hosts are to allow, default is 0 which means unlimited
connections. Idle connections are closed after the time specified
by the timeout conn command
ASA802(config)# nat (inside) 1 10.1.1.0 255.255.255.0 tcp 0 ?
configure mode commands/options:
<0-65535> The maximum number of embryonic connections per host, default is
0, which means unlimited connections. An embryonic connection is a
connection request that has not finished the necessary handshake
between source and destination
<cr>
ASA802(config)# nat (inside) 1 10.1.1.0 255.255.255.0 tcp 0 0 ?
configure mode commands/options:
norandomseq Disable TCP sequence number randomization
udp Configure UDP specific parameters
<cr>
ASA802(config)# nat (inside) 1 10.1.1.0 255.255.255.0 tcp 0 0 udp ?
configure mode commands/options:
<0-65535> The maximum number of simultaneous UDP connections the local IP
hosts are to allow, default is 0 which means unlimited
connections. Idle connections are closed after the time specified
by the timeout conn command
ASA802(config)# nat (inside) 1 10.1.1.0 255.255.255.0 tcp 0 0 udp 0
ASA802(config)# global ?
configure mode commands/options:
( Open parenthesis for the external network interface name
ASA802(config)# global (?
configure mode commands/options:
Current available interface(s):
inside Name of interface Ethernet0/1
outside Name of interface Ethernet0/0
ASA802(config)# global (outside) ?
configure mode commands/options:
<0-2147483647> The id of the NAT group that will draw from these global
addresses
ASA802(config)# global (outside) 1 ?
configure mode commands/options:
WORD Enter IP address or a range of IP addresses <start_ip>[-<end_ip>]
interface Specifies PAT using the IP address at the interface
ASA802(config)# global (outside) 1 interface
ASA802# show xlate
0 in use, 1 most used
My PC is still not able to ping the Internet (8.8.8.8) and there's no output on the NAT Table (0 in use). So I've manually created a policy (Modular Policy Framework or MPF) to allow ICMP or ping and applied it under the ASA's inside interface. I've also enabled the nat-control (disabled by default) to enforce packets from the inside interface to the outside interface to match a NAT rule.
policy-map inside-policy
class inside-class
inspect icmp
!
service-policy inside-policy interface inside
ASA802(config)# nat?
configure mode commands/options:
nat nat-control
ASA802(config)# nat-control
ASA802# show xlate
2 in use, 2 most used
PAT Global 200.1.1.1(1024) Local 10.1.1.10(2985)
PAT Global 200.1.1.1(14) Local 10.1.1.10 ICMP id 1
ASA802# show xlate detail
2 in use, 2 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
ICMP PAT from inside:10.1.1.10/1 to outside:200.1.1.1/15 flags ri
TCP PAT from inside:10.1.1.10/2985 to outside:200.1.1.1/1024 flags ri
No comments:
Post a Comment