Overblog Follow this blog
Edit post Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Configuring NAT on Cisco ASA

April 16 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Network address translation (NAT) allows you to translate private to public addresses. 
With CISCO ASA firewall, You can configure 2 types of NAT: 
- Dynamic NAT (including PAT - port address translation)
- Static NAT 

Nat example (Web server must send responses to a client on public/mapped address):

cisco-nat-NAT-Configuration.jpg

Dynamic NAT allows You to translate internal addresses to a predefined set or pool of public addresses You define. The "nat" command defines which internal hosts, and the "global" command defines public address range in which internal addresses will be translated. Number "1" in nat configuration defines NAT ID (number of NAT rule), and must match on "nat" and "global" command: 

ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0                               

 ASA1(config)#global (outside) 1 193.222.168.113-193.222.168.116 255.255.255.240

 
PAT translates a range of internal addresses to 1 public address by mapping them to a different ports: 

ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0                               

 ASA1(config)#global (outside) 1 193.222.168.113                 


Instead of ip address in a global command, it's possible to define word "interface". That way, the internal addresses will automatically be PAT-ed into the address of an outside inteface: 

 ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0                               

 ASA1(config)#global (outside) 1 interface              

 

Static NAT, allows You to permanently map public ip address and port to an inside one (port forwarding). Along with that, cisco allows 1:1 NAT, or "mirroring", which translates all internal ports of a private address to the same ports on a public address (bi-directional). Of course, to enable traffic flow from the "outsude" to the "inside" interface, traffic also must be allowed with the Access control list. 

Port forwarding:

nat3-NAT-Configuration.jpg

Port forwarding of publicly available ports to an internal addresses. After configuring NAT, to enable traffic flow from outside to inside hosts, You must apply access-lists which will allow the traffic. Finally, to activate acl, bind it on a "outside" interface with the "access-group" command: 

ASA1(config)#static (inside,outside) tcp 209.165.201.3 http 10.2.2.28 http netmask 255.255.255.255

 ASA1(config)#static (inside,outside) tcp 209.165.201.3 ftp 10.2.2.27 ftp netmask 255.255.255.255

 ASA1(config)#static (inside,outside) tcp 209.165.201.3 smtp 10.2.2.29 smtp netmask 255.255.255.255

 

ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3 eq http

 ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3 eq ftp

 ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3 eq smtp

 

 ASA1(config)#access-group outside_in_acl in interface outside

 

Static 1:1 nat, (every public port maped to the same internal port): 

ASA1(config)#static (inside,outside) 209.165.201.4 10.2.2.45 netmask 255.255.255.255        

To allow traffic flow from lower security interface "outside", to higher security interface "inside", access control list must be applied. 

 

More Related Cisco ASA Tips:

Site-to-Site IPSEC VPN between Two Cisco ASA 5520

How to Configure Dual ISP on Cisco ASA 5505?

Cisco ASA 8.4 vs. Typical NAT/PAT Configuration

Eight Commands on a Cisco ASA Security Appliance You Should Know

VLAN Sub-Interfaces on Cisco ASA 5500 Firewall Configuration

How to Configure Cisco ASA 5505 Firewall?

Share this post

Repost 0

Comment on this post