Sunday 18 December 2022

How to configure ASA Firewall Dynamic NAT?

 Network address translation

NAT is the method of translation of a private IP address into a public IP address. In order to communicate with the internet, we must have a registered public IP address.

Address translation was originally developed to solve two problems:

To handle a shortage of IPv6 addresses

 Hide network addressing schemes.

Types of NAT: -Static NAT

Dynamic NAT

Port Address Translation (PAT)

Static NAT- one-to-one mapping was done manually for every private IP needed on registered IP address (one-to-one)

Dynamic NAT- one-to-one mapping is done automatically for every private IP that needs one registered IP address (one-to-one)

Port address translation (Dynamic NAT Overload)- Allows thousands of users to connect to the internet using only one real global IP address. Maps many to one by using different ports. PAT is the real reason we haven’t run out of valid IP addresses on the internet.

Just like the Cisco IOS routers, we can configure NAT / PAT on our Cisco ASA firewall.

I'm assuming that you already know about NAT, if you don't, please click here 

let's configure dynamic NAT: -

Topology: -

Goal: -

  • configure topology as per the diagram 
  • configure an IP address on ISP router 
  • configure VLANs on ASA firewall
  • configure DHCP on the ASA firewall for inside 
  • configure a static route for VLAN 1 (inside)
  • configure on ASA Dynamic NAT for VLAN 1
  • make sure PC-A can ping web server

ISP-ROUTER(config)#interface gigabitEthernet 0/0
ISP-ROUTER(config-if)#ip address
ISP-ROUTER(config-if)#no shutdown 

ISP-ROUTER(config)#interface gigabitEthernet 0/1
ISP-ROUTER(config-if)#ip address
ISP-ROUTER(config-if)#no shutdown 

ciscoasa(config)#interface vlan 1
ciscoasa(config-if)#ip address
ciscoasa(config-if)#nameif inside
ciscoasa(config-if)#security-level 100

ciscoasa(config)#interface ethernet 0/2
ciscoasa(config-if)#switchport access vlan 1

ciscoasa(config)#interface vlan 2
ciscoasa(config-if)#ip address
ciscoasa(config-if)#nameif outside
ciscoasa(config-if)#security-level 0
ciscoasa(config-if)#no shutdown

ciscoasa(config)#interface vlan 3
ciscoasa(config-if)#no forward interface vlan 1
ciscoasa(config-if)#ip address
ciscoasa(config-if)#nameif dmz

INFO: Security level for "dmz" set to 0 by default.

ciscoasa(config-if)#security-level 50

ciscoasa(config)#interface ethernet 0/1
ciscoasa(config-if)#switchport access vlan 3

ciscoasa#show interface ip brief 
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                YES manual up                    up
Vlan2             YES manual up                    up
Vlan3                YES manual up                    up

ciscoasa#show ip address 
System IP Addresses:
Interface             Name                 IP address      Subnet mask     Method
Vlan1                 inside            manual
Vlan2                 outside       manual
Vlan3                 dmz               manual

Current IP Addresses:
Interface             Name                 IP address      Subnet mask     Method
Vlan1                 inside            manual
Vlan2                 outside       manual
Vlan3                 dmz               manual

ciscoasa#show switch vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    inside                           up        Et0/2, Et0/3, Et0/4, Et0/5
                                                Et0/6, Et0/7
2    outside                          up        Et0/0
3    dmz                              up        Et0/1

ciscoasa(config)#dhcpd address inside
ciscoasa(config)#dhcpd dns interface inside
ciscoasa(config)#dhcpd enable inside

(Verify PC-A-B-C is getting IP configuration from DHCP ASA firewall)




ciscoasa(config)#route outside

ciscoasa(config)#object network inside
ciscoasa(config-network-object)#nat (inside,outside) dynamic interface

ciscoasa(config)#access-list ASA extended permit tcp any any
ciscoasa(config)#access-list ASA extended permit icmp any any
ciscoasa(config)#access-group ASA in interface outside

1 comment:

Anonymous said...

Thanks for the tutorial, i just have a note about a typo in this line, i think its IPv4:
To handle a shortage of IPv6 addresses

Thanks 👍

What is Virtual Router Redundancy Protocol (VRRP)? How to configure Virtual Router Redundancy Protocol (VRRP)?

 Virtual Router Redundancy Protocol (VRRP) is a gateway redundancy networking protocol used to create a virtual gateway similar to HSRP . VR...