Static nat cofiguration on Cisco ASA 5512 with IOS 9.1
========================================================
ASA5512(Config)# object network emailserver
ASA5512(Config-network-object)# host 10.42.1.10
ASA5512(Config-network-object)# nat (inside,outside) static 68.15.89.20
ASA5512(Config)# access-list inbount extended permit tcp any host 10.2.1.10 eq smtp
ASA5512(Config)# access-group inbound in interface outside
configure a dynamic nat
=========================
object network inside-subnet
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) dynamic interface
When hosts matching the 192.168.0.0/24 subnet traverse from the inside interface to the outside interface, we want to dynamically translate them to the outside interface
Configure NAT to Access Webserver from Internet
=================================================
object network webserver-external-ip
host 198.51.100.101
!
object network webserver
host 192.168.1.100
nat (dmz,outside) static webserver-external-ip service tcp www www
access-list outside_acl extended permit tcp any object webserver eq www
!
access-group outside_acl in interface outside
When hosts on the outside establish a connection to 198.51.100.101 on destination TCP port 80 (www), we will translate the destination IP address to be 192.168.1.100 and the destination port will be TCP port 80 (www) and send it out the dmz
Dynamic NAT with dynamic PAT backup
====================================
The following example configures dynamic NAT with dynamic PAT backup to translate IPv6 hosts to IPv4. Hosts on inside network 192.168.1.0/24 are mapped first to the IPv4_NAT_RANGE pool (209.165.201.1 to 209.165.201.30). After all addresses in the IPv4_NAT_RANGE pool are allocated, dynamic PAT is performed using the IPv4_PAT address (209.165.201.31). In the event that the PAT translations are also used up, dynamic PAT is performed using the outside interface address.
ciscoasa(config)# object network IPv4_NAT_RANGE
ciscoasa(config-network-object)# range 209.165.201.1 209.165.201.30
ciscoasa(config-network-object)# object network IPv4_PAT
ciscoasa(config-network-object)# host 209.165.201.31
ciscoasa(config-network-object)# object-group network IPv4_GROUP
ciscoasa(config-network-object)# network-object object IPv4_NAT_RANGE
ciscoasa(config-network-object)# network-object object IPv4_PAT
ciscoasa(config-network-object)# object network my_net_obj5
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic IPv4_GROUP interface
========================================================
ASA5512(Config)# object network emailserver
ASA5512(Config-network-object)# host 10.42.1.10
ASA5512(Config-network-object)# nat (inside,outside) static 68.15.89.20
ASA5512(Config)# access-list inbount extended permit tcp any host 10.2.1.10 eq smtp
ASA5512(Config)# access-group inbound in interface outside
configure a dynamic nat
=========================
object network inside-subnet
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) dynamic interface
When hosts matching the 192.168.0.0/24 subnet traverse from the inside interface to the outside interface, we want to dynamically translate them to the outside interface
Configure NAT to Access Webserver from Internet
=================================================
object network webserver-external-ip
host 198.51.100.101
!
object network webserver
host 192.168.1.100
nat (dmz,outside) static webserver-external-ip service tcp www www
access-list outside_acl extended permit tcp any object webserver eq www
!
access-group outside_acl in interface outside
When hosts on the outside establish a connection to 198.51.100.101 on destination TCP port 80 (www), we will translate the destination IP address to be 192.168.1.100 and the destination port will be TCP port 80 (www) and send it out the dmz
Dynamic NAT with dynamic PAT backup
====================================
The following example configures dynamic NAT with dynamic PAT backup to translate IPv6 hosts to IPv4. Hosts on inside network 192.168.1.0/24 are mapped first to the IPv4_NAT_RANGE pool (209.165.201.1 to 209.165.201.30). After all addresses in the IPv4_NAT_RANGE pool are allocated, dynamic PAT is performed using the IPv4_PAT address (209.165.201.31). In the event that the PAT translations are also used up, dynamic PAT is performed using the outside interface address.
ciscoasa(config)# object network IPv4_NAT_RANGE
ciscoasa(config-network-object)# range 209.165.201.1 209.165.201.30
ciscoasa(config-network-object)# object network IPv4_PAT
ciscoasa(config-network-object)# host 209.165.201.31
ciscoasa(config-network-object)# object-group network IPv4_GROUP
ciscoasa(config-network-object)# network-object object IPv4_NAT_RANGE
ciscoasa(config-network-object)# network-object object IPv4_PAT
ciscoasa(config-network-object)# object network my_net_obj5
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic IPv4_GROUP interface
Nice explanation with example
ReplyDelete