Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks
Uploaded by Illuminati India

ASA+NAT+Notes

advertisement 
NAT:
Source NAT:
If my internal address is getting translated, regardless of the direction of the access, it is called source nat. The word
source is “YOU” or “MY” address translation. 99% of the time you will be doing source NAT.
Destination NAT:
If the External / Remote / Foreign address changes, it is called destination NAT. The word destination is “Them”.
--------------------------------------------------------------------------------------------------------------------------Source Dynamic Nat: Allows internal users to go out using a public address from a pool defined on the firewall. This is
also referred to as object Nat or Auto-Nat.
1.Define pool
Object network pool1
Range 192.1.20.101 192.1.20.200
2. Specify the address that can use the pool
Object network INS-NET
Subnet 10.11.11.0 255.255.255.0
Nat (Inside,outside) dynamic pool1
----------------------------------------------------------------------------------------------------------------------------Source Static NAT: Translates an Internal address on the Outside. This is done statically so that an entry is created in the
translation table. You still need to allow access from low to high.
Translation entry is created as soon as we configure the static Nat on the Firewall.
!Web server
Object network www1
Host 192.168.1.11
Nat (dmz,outside) static 192.1.20.21
!E-mail server
Object network Email1
Host 192.168.1.12
Nat (dmz,outside) static 192.1.20.22
!DNS server
Object network dns1
Host 192.168.1.13
Nat (dmz,outside) static 192.1.20.23
!R3
Object network R3
Host 192.168.1.3
Nat (dmz,outside) static 192.1.20.24
Access-list OUTSIDE permit tcp any host 192.168.1.11 eq 80
Access-list OUTSIDE permit tcp any host 192.168.1.11 eq 443
Access-list OUTSIDE permit tcp any host 192.168.1.11 eq 25
Access-list OUTSIDE permit tcp any host 192.168.1.3 eq 80
Access-list OUTSIDE permit udp any host 192.168.1.13 eq 53
!
Access-group OUTSIDE in interface Outside.
Show xlate
! static nat takes precedence over dynamic nat.
!Clear xlate
!Clear configure object
!Source PAT:
!1.Dynamic PAT using the Outside interface
Object network INS-NET
Subnet 10.11.11.0 255.255.255.0
Nat (Inside.outside) dynamic interface
Or
!2.Dynamic PAT using ip address
!A. Create an object of the ip address or pool of the ip address
Object network PAT
Host 192.1.20.5
!B. create the inside network and specify to use the pool for PAT.
Object network INS-NET
Subnet 10.11.11.0 255.255.255.0
Nat (Inside,outside) dynamic pat-pool PAT
Sh xlate (For verification)
Static PAT
Object network www1
Host 192.168.1.11
Nat (dmz,outside) static 192.1.20.11 service tcp 80 80
!
Object network Email1
Host 192.168.1.12
Nat (Dmz,outside) static 192.1.20.11 service tcp 25 25
!
Object network dns1
Host 192.168.1.13
Nat (dmz,outside) static 192.1.20.11 service udp 53 53 (Note : this is called port forwarding)
!
Object network R3
Host 192.168.1.3
Nat (dmz,outside) static 192.1.20.11 service tcp 23 2311 (Note: this is called port redirection)
!Destination Nat
Object network H199
Host 199.1.1.1
Nat (outside,dmz) static 192.168.1.177
-------------------------------------------------------------------------------------------------------------------------------------!Twice NAT/ Manual NAT
It allows you to change the source as well as the destination in a single Nat statement. This is also known as Manual-Nat.
Preference Twice NAT -> Auto-NAT(Static Nat) -> Auto-NAT (Dynamic)
1.Create object for all the addresses involved
Object network R3-D
Host 192.168.1.3
Object network R3-O
Host 192.1.20.20
!
Object network H199-O
Host 199.1.1.1
Object network H199-D
Host 192.168.1.79
2. Create the Twice-Nat/Manual-Nat statement
Nat (dmz,outside) source static R3-D R3-O destination static H199-D H199-O
Analyze traffic flows From:
1. High security level to low security level
2. Low security level to high security level
3. Same security level interfaces
1 High Security Level to low security level
By default, all the traffic is allowed to flow from a high security level to low security level interface towards a low
security as long as the routing information is available.
Although, all traffic is allowed to flow from high security level to a low security level, only TCP and UDP traffic is
inspected.
Related documents
Operating Systems - Shawlands Academy
Operating Systems - Shawlands Academy
Nat Burgess Executive Vice President Corum Group Ltd.
Nat Burgess Executive Vice President Corum Group Ltd.
File - DIVISION OF MALABON CITY
File - DIVISION OF MALABON CITY
philippine inquirer article
philippine inquirer article
Download
advertisement