Task 1: Configure Static NAT
Create a
network object for the DMZ server (172.16.1.50) under Configuration >
Firewall > Objects > Network Objects/Groups > click Add.
Type a Name: DMZ-SERVER > leave the default Type: Host > IP Version: IPv4 > type the IP Address: 172.16.1.50 > click the downward arrow to expand NAT.
Select: Add Automatic Address Translation Rules > select default Type: Static > type Translated Addr: 172.27.25.252 > click Advanced.
Select Source Interface: dmz > select Destination Interface: outside > leave the default protocol: TCP > click OK > OK.
Click Apply > Send.
To view NAT rules, go to Configuration > Firewall > NAT Rules.
Connect
to the FTP server via the translated IP 172.27.25.252 from an outside host.
OUTSIDE-LINUX~]$
ftp 172.27.25.252
ftp>
To view
ASA NAT statistics, issue a show nat
command.
Notice the NAT table Section 2 for Auto/Object NAT policies.
Notice the NAT table Section 2 for Auto/Object NAT policies.
LAB-ASA5515x#
show nat
Auto NAT
Policies (Section 2)
1 (dmz) to (outside) source static DMZ-SERVER
172.27.25.252
translate_hits = 98, untranslate_hits = 14
2
(inside) to (outside) source dynamic OBJ-INSIDE interface
translate_hits = 22147, untranslate_hits =
13
To view
ASA NAT translations, issue a show xlate command.
Notice
the flag s for static NAT.
LAB-ASA5515x#
show xlate
7 in use,
25 most used
Flags: D
- DNS, e - extended, I - identity, i - dynamic, r - portmap,
s -
static, T - twice, N - net-to-net
NAT from
dmz:172.16.1.50 to outside:172.27.25.252
flags s
idle 0:06:46 timeout 0:00:00
TCP PAT
from inside:192.168.1.100/54892 to outside:172.27.25.254/54892 flags ri idle
0:00:30 timeout 0:00:30
TCP PAT
from inside:192.168.1.100/54889 to outside:172.27.25.254/54889 flags ri idle
0:01:47 timeout 0:00:30
TCP PAT
from inside:192.168.1.100/54235 to outside:172.27.25.254/54235 flags ri idle
14:03:19 timeout 0:00:30
TCP PAT
from inside:192.168.1.100/51541 to outside:172.27.25.254/51541 flags ri idle
75:16:34 timeout 0:00:30
TCP PAT
from inside:192.168.1.100/51539 to outside:172.27.25.254/51539 flags ri idle
3:19:48 timeout 0:00:30
UDP PAT
from inside:192.168.1.140/123 to outside:172.27.25.254/123 flags ri idle
0:08:48 timeout 0:00:30
Task 2: Configure Dynamic NAT (Hide PAT)
To add a
new NAT rule for outbound connectivity for internal hosts in the
192.168.1.0/24 and translate it to the Cisco ASA outside interface, go to Configuration > Firewall > Objects > Network
Objects/Groups > Add > Network Object.
Type
Network Object Name: OBJ-INSIDE > select Type: Network > select IP
Version: IPv4 (default) > type IP Address: 192.168.1.0 > type/select
Netmask: 255.255.25.0 > expand NAT > select Add Automatic Address
Translation Rules > select Type: Dynamic PAT (Hide) > select Translated
Addr: outside.
Click Advanced > select Source Interface: inside > select Destination Interface: outside > click OK > OK > Apply Send.
To view the newly created Dynamic NAT (PAT) rule, go to Configuration > Firewall > NAT Rules.
Open a website in Win7 to generate traffic for the Cisco ASA Dynamic NAT (PAT) rule.
To verify
Dynamic NAT statistics, ASA connections and NAT translations using the show nat <detail>, show conn <detail>, show xlate commands respectively.
LAB-ASA5515x#
show nat detail
Auto NAT
Policies (Section 2)
1 (dmz)
to (outside) source static DMZ-SERVER 172.27.25.252
translate_hits = 126, untranslate_hits = 30
Source - Origin: 172.16.1.50/32,
Translated: 172.27.25.252/32
2 (inside) to (outside) source dynamic OBJ-INSIDE
interface
translate_hits = 29669, untranslate_hits = 13
Source -
Origin: 192.168.1.0/24, Translated: 172.27.25.254/24
LAB-ASA5515x#
show conn ?
address Enter this keyword to specify IP
address
all Enter this keyword to show conns
including to-the-box and
from-the-box
count Enter this keyword to show conn
count only
detail Enter this keyword to show conn in
detail
inline-set Enter this keyword to specify inline-set
long Enter this keyword to show conn in
long format
port Enter this keyword to specify port
protocol Enter this keyword to specify conn
protocol
scansafe Enter this keyword to show conns being
forwarded to scansafe
server
security-group Enter this keyword to show security-group
attributes in conns
state Enter this keyword to specify conn
state
user Enter this keyword to specify conn
user
user-group Enter this keyword to specify conn user
group
user-identity Enter this keyword to show user names
zone Enter this keyword to specify zone
| Output modifiers
<cr>
LAB-ASA5515x#
show conn address ?
WORD
Enter an IP address or a range of IP addresses:
<start>[-<end>]
Enter an IPv6 address/prefix or range:
<start>[-<end>]
LAB-ASA5515x# show conn address 192.168.1.130
12 in
use, 33 most used
UDP
outside 172.217.25.9:443 inside 192.168.1.130:57092, idle 0:01:53, bytes
229633, flags -
UDP
outside 172.217.26.129:443 inside 192.168.1.130:57286, idle 0:01:57, bytes
663581, flags -
UDP
outside 172.217.25.3:443 inside 192.168.1.130:52795, idle 0:01:50, bytes
9629, flags
Notice
the flags ri for Dynamic NAT translations.
LAB-ASA5515x#
show xlate
11 in
use, 31 most used
Flags: D
- DNS, e - extended, I - identity, i -
dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from
dmz:172.16.1.50 to outside:172.27.25.252
flags s idle 64:55:51 timeout 0:00:00
TCP PAT
from inside:192.168.1.130/49245 to outside:172.27.25.254/49245 flags ri idle 0:00:01 timeout 0:00:30
UDP PAT
from inside:192.168.1.130/50053 to outside:172.27.25.254/50053 flags ri idle
0:00:06 timeout 0:00:30
UDP PAT
from inside:192.168.1.130/50052 to outside:172.27.25.254/50052 flags ri idle
0:00:06 timeout 0:00:30
UDP PAT
from inside:192.168.1.130/60286 to outside:172.27.25.254/60286 flags ri idle
0:01:49 timeout 0:00:30
TCP PAT
from inside:192.168.1.130/49238 to outside:172.27.25.254/49238 flags ri idle
0:02:03 timeout 0:00:30
No comments:
Post a Comment