Sunday 18 December 2022

How to configure ASA Firewall Dynamic NAT?

 Network address translation

NAT is the method of translation of a private IP address into a public IP address. In order to communicate with the internet, we must have a registered public IP address.


Address translation was originally developed to solve two problems:

To handle a shortage of IPv6 addresses

 Hide network addressing schemes.

Types of NAT: -Static NAT

Dynamic NAT

Port Address Translation (PAT)


Static NAT- one-to-one mapping was done manually for every private IP needed on registered IP address (one-to-one)


Dynamic NAT- one-to-one mapping is done automatically for every private IP that needs one registered IP address (one-to-one)


Port address translation (Dynamic NAT Overload)- Allows thousands of users to connect to the internet using only one real global IP address. Maps many to one by using different ports. PAT is the real reason we haven’t run out of valid IP addresses on the internet.


Just like the Cisco IOS routers, we can configure NAT / PAT on our Cisco ASA firewall.


I'm assuming that you already know about NAT, if you don't, please click here 

let's configure dynamic NAT: -

Topology: -




Goal: -

  • configure topology as per the diagram 
  • configure an IP address on ISP router 
  • configure VLANs on ASA firewall
  • configure DHCP on the ASA firewall for inside 
  • configure a static route for VLAN 1 (inside)
  • configure on ASA Dynamic NAT for VLAN 1
  • make sure PC-A can ping web server 8.8.8.8



ISP-ROUTER(config)#interface gigabitEthernet 0/0
ISP-ROUTER(config-if)#ip address 192.168.1.1 255.255.255.0
ISP-ROUTER(config-if)#no shutdown 
ISP-ROUTER(config-if)#exit

ISP-ROUTER(config)#interface gigabitEthernet 0/1
ISP-ROUTER(config-if)#ip address 8.8.8.1 255.0.0.0
ISP-ROUTER(config-if)#no shutdown 
ISP-ROUTER(config-if)#exit


ciscoasa(config)#interface vlan 1
ciscoasa(config-if)#ip address 10.1.1.1 255.0.0.0
ciscoasa(config-if)#nameif inside
ciscoasa(config-if)#security-level 100
ciscoasa(config-if)#exit

ciscoasa(config)#interface ethernet 0/2
ciscoasa(config-if)#switchport access vlan 1
ciscoasa(config-if)#exit

ciscoasa(config)#interface vlan 2
ciscoasa(config-if)#ip address 192.168.1.2 255.255.255.0
ciscoasa(config-if)#nameif outside
ciscoasa(config-if)#security-level 0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#exit

ciscoasa(config)#interface vlan 3
ciscoasa(config-if)#no forward interface vlan 1
ciscoasa(config-if)#ip address 20.1.1.1 255.0.0.0
ciscoasa(config-if)#nameif dmz

INFO: Security level for "dmz" set to 0 by default.

ciscoasa(config-if)#security-level 50
ciscoasa(config-if)#exit

ciscoasa(config)#interface ethernet 0/1
ciscoasa(config-if)#switchport access vlan 3
ciscoasa(config-if)#end

ciscoasa#show interface ip brief 
Interface              IP-Address      OK? Method Status                Protocol
 
Vlan1                  10.1.1.1        YES manual up                    up
 
Vlan2                  192.168.1.2     YES manual up                    up
 
Vlan3                  20.1.1.1        YES manual up                    up


ciscoasa#show ip address 
System IP Addresses:
Interface             Name                 IP address      Subnet mask     Method
Vlan1                 inside               10.1.1.1        255.0.0.0       manual
Vlan2                 outside              192.168.1.2     255.255.255.0   manual
Vlan3                 dmz                  20.1.1.1        255.0.0.0       manual

Current IP Addresses:
Interface             Name                 IP address      Subnet mask     Method
Vlan1                 inside               10.1.1.1        255.0.0.0       manual
Vlan2                 outside              192.168.1.2     255.255.255.0   manual
Vlan3                 dmz                  20.1.1.1        255.0.0.0       manual


ciscoasa#show switch vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    inside                           up        Et0/2, Et0/3, Et0/4, Et0/5
                                                Et0/6, Et0/7
2    outside                          up        Et0/0
3    dmz                              up        Et0/1



ciscoasa(config)#dhcpd address 10.1.1.5-10.1.1.15 inside
ciscoasa(config)#dhcpd dns 8.8.8.8 interface inside
ciscoasa(config)#dhcpd enable inside




(Verify PC-A-B-C is getting IP configuration from DHCP ASA firewall)

PC-A












PC-A











PC-A















ciscoasa(config)#route outside 0.0.0.0 0.0.0.0 192.168.1.1















































ciscoasa(config)#object network inside
ciscoasa(config-network-object)#subnet 10.0.0.0 255.0.0.0
ciscoasa(config-network-object)#nat (inside,outside) dynamic interface
ciscoasa(config-network-object)#exit


ciscoasa(config)#access-list ASA extended permit tcp any any
ciscoasa(config)#access-list ASA extended permit icmp any any
ciscoasa(config)#access-group ASA in interface outside




1 comment:

Anonymous said...

Thanks for the tutorial, i just have a note about a typo in this line, i think its IPv4:
To handle a shortage of IPv6 addresses

Thanks 👍

What is Virtual Router Redundancy Protocol (VRRP)? How to configure Virtual Router Redundancy Protocol (VRRP)?

 Virtual Router Redundancy Protocol (VRRP) is a gateway redundancy networking protocol used to create a virtual gateway similar to HSRP . VR...