Tuesday, November 9, 2010

ASA 8.3 - How to configure NAT

As you will have heard (and if not you will do soon) the new ASA 8.3 brings massive changes. The main change is the way in which the ASA handles NAT. Rather the configuring NAT at purley the interface level NAT is now configured within network objects.
That way in which is now configured is :
  1. Create a network object.
  2. Within this object define the Real IP/Network to be translated.
  3. Also within this object you can use the the nat commands to specifiy whether the translation will be dynamic or static.
Examples
Configuring Dynamic NAT
The following example configures dynamic NAT that hides 192.168.2.0 network behind a range of outside addresses 2.2.2.1-2.2.2.10:
1.hostname(config)# object network my-range-obj
2.hostname(config-network-object)# range 2.2.2.1 2.2.2.10
3.hostname(config)# object network my-inside-net
4.hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
5.hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj
Dynamic PAT (Hide NAT)
The following example configures dynamic PAT that hides the 192.168.2.0 network behind address 2.2.2.2:
1.hostname(config)# object network my-inside-net
2.hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
3.hostname(config-network-object)# nat (inside,outside) dynamic 2.2.2.2
The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:
1.hostname(config)# object network my-inside-net
2.hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
3.hostname(config-network-object)# nat (inside,outside) dynamic interface
Configuring Static NAT or Static NAT with Port Translation
The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside with DNS rewrite enabled.
1.hostname(config)# object network my-host-obj1
2.hostname(config-network-object)# host 1.1.1.1
3.hostname(config-network-object)# nat (inside,outside) static 2.2.2.2 dns
The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside using a mapped object.
1.hostname(config)# object network my-mapped-obj
2.hostname(config-network-object)# host 2.2.2.2
3.hostname(config-network-object)# object network my-host-obj1
4.hostname(config-network-object)# host 1.1.1.1
5.hostname(config-network-object)# nat (inside,outside) static my-mapped-obj
The following example configures static NAT with port translation for 1.1.1.1 at TCP port 21 to the outside interface at port 2121.
1.hostname(config)# object network my-ftp-server
2.hostname(config-network-object)# host 1.1.1.1
3.hostname(config-network-object)# nat (inside,outside) static interface service tcp 21 2121
Posted by ajay gupta at 4:50 PM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)