ASA 8.4 Example

Access webserver from outside:

asa-8-2-dnat

This can be done by two way : Twice NAT, Auto NAT

Twice NAT

object network real-host-obj
 host 192.168.1.2
object network mapped-host-obj
 host 1.1.1.1

nat (inside,outside) source static real-host-obj mapped-host-obj

access-list allow-webserver-inside extended permit ip any host 192.168.1.2
access-group allow-webserver-inside in interface outside

 With the help of auto nat:

object network mapped-host-obj
 host 1.1.1.2

object network real-host-obj  
host 192.168.1.2
nat (inside,outside) static  mapped-host-obj

To allow unidirectional access:

object network host_192.168.1.3
 host 192.168.1.3

object network host_1.1.1.2
 host 1.1.1.2

nat (outside,inside) source static any any destination static host_1.1.1.2  host_192.168.1.3 unidirectional

access-list outside-acl line 2 extended permit tcp any object host_192.168.1.3 eq 80

Consider following topology:

ASA_8_4_NAT_Topology

Task 1> Map 13.13.13.64/27 to pool 12.12.12.100- 110 with PAT fall back

Auto NAT:

object network dynamic-nat-pool
 range 12.12.12.100 12.12.12.110

object network R3-Sub-subnet
 subnet 13.13.13.64 255.255.255.224
 nat (dmz,outside) dynamic dynamic-nat-pool interface

Note: The keyword interface specified at the end is for fall back

Twice NAT:

nat (dmz,outside) source dynamic R3-Subnet dynamic-nat-pool-1
ASA1(config)# show xlate
 1 in use, 1 most used
 Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
 s - static, T - twice, N - net-to-net
NAT from dmz:13.13.13.65 to outside:12.12.12.108 flags i idle 0:00:01 timeout 3:00:00


 ASA1(config)# show xlate detail
 1 in use, 1 most used
 Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
 s - static, T - twice, N - net-to-net

NAT from dmz:13.13.13.65 to outside:12.12.12.108 flags i idle 0:00:02 timeout 3:00:00 refcnt 1 xlate id 0x7f6f083f3d80

Task 2> When host 13.13.13.13 sends any traffic to port 21 translate the port to 23.

Auto NAT:

object network Any-Subnet
subnet 0.0.0.0 0.0.0.0

object network R2
nat (outside,dmz) static Any-Subnet service tcp telnet ftp

Twice NAT:

object network Any-Subnet
 subnet 0.0.0.0 0.0.0.0

 nat (dmz,outside) source dynamic R3 R3 destination static Any-Subnet Any-Subnet service ftp telnet

 

Allow access to server on specific port:

object service realport
 service tcp source eq 80

object network RealIP
 host 192.168.1.2
object network MappedIP
 host 1.1.1.2
nat (inside,outside) source static RealIP MappedIP service realport realport

Allow multiple service in a a single statement:

object service realport-80
 service tcp source eq 80

object service realport-443
 service tcp source eq 443

object service realport-25
 service tcp source eq 25

object-group service Server-Services
 group-object realport-80
 group-object realport-443
 group-object realport-25

nat (inside,outside) source static RealIP MappedIP service Server-Services Server-Services

Port redirection:

object service realport-80
 service tcp source eq 80

object service mappedport-8080
 service tcp source eq 8080

nat (inside,outside) source static RealIP MappedIP service realport-80 mappedport-8080
Advertisements
This entry was posted in ASA and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s