Thursday 22 December 2022

What is ASA Firewall Static NAT? How to configure Static Network Address Translation

 Static Network Address Translation

 

Static NAT –

This means a single private IP address (unregistered) is configured and mapped with the public IP address (registered) one-to-one mapped.

This is not for organizations because of many devices. We use this in web hosting or home networks.

In the previous blog, we have seen dynamic NAT where the inside network can access the outside but now the outside wants to reach our DMZ server. Let's see how to configure 

Topology:-



Goal:

  • configure the topology as per the diagram 
  • configure the IP addresses to their interfaces 
  • configure security zones and levels 
  • configure access lists 
  • configure Static NAT 
  • make sure PCs can reach servers 


INSIDE-ROUTER(config)#interface gigabitEthernet 0/0/1
INSIDE-ROUTER(config-if)#ip address 10.1.1.1 255.0.0.0
INSIDE-ROUTER(config-if)#no shutdown 
INSIDE-ROUTER(config-if)#exit

%LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to up





DMZ-ROUTER(config)#interface gigabitEthernet 0/0/1
DMZ-ROUTER(config-if)#ip address 20.1.1.1 255.0.0.0
DMZ-ROUTER(config-if)#no shutdown 
DMZ-ROUTER(config-if)#exit

 
HANGED: Interface GigabitEthernet0/0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to up



DMZ-ROUTER(config)#interface gigabitEthernet 0/0/0
DMZ-ROUTER(config-if)#ip address 192.168.2.1 255.255.255.0
DMZ-ROUTER(config-if)#no shutdown 
DMZ-ROUTER(config-if)#exit

%LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to up


OUTSIDE-ROUTER(config)#interface gigabitEthernet 0/0/1
OUTSIDE-ROUTER(config-if)#ip address 30.1.1.1 255.0.0.0
OUTSIDE-ROUTER(config-if)#no shutdown 
OUTSIDE-ROUTER(config-if)#exit

%LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to up



CISCO-ASA(config)#interface gigabitEthernet 1/1
CISCO-ASA(config-if)#ip address 192.168.1.2 255.255.255.0
CISCO-ASA(config-if)#no shutdown 
CISCO-ASA(config-if)#nameif inside 
CISCO-ASA(config-if)#security-level 100
CISCO-ASA(config-if)#exit

CISCO-ASA(config)#interface gigabitEthernet 1/3
CISCO-ASA(config-if)#ip address 192.168.2.2 255.255.255.0
CISCO-ASA(config-if)#no shutdown 
CISCO-ASA(config-if)#nameif dmz

INFO: Security level for "dmz" set to 0 by default.

CISCO-ASA(config-if)#security-level 50
CISCO-ASA(config-if)#exit

CISCO-ASA(config)#interface gigabitEthernet 1/2
CISCO-ASA(config-if)#ip address 192.168.3.2 255.255.255.0
CISCO-ASA(config-if)#no shutdown 
CISCO-ASA(config-if)#nameif outside
CISCO-ASA(config-if)#security-level 0
CISCO-ASA(config-if)#exit





INSIDE-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
INSIDE-ROUTER(config)#exit

DMZ-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2 
DMZ-ROUTER(config)#exit

OUTSIDE-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.2
OUTSIDE-ROUTER(config)#exit

CISCO-ASA(config)#route inside 192.168.1.0 255.255.255.0 192.168.1.1

CISCO-ASA(config)#route dmz 192.168.2.0 255.255.255.0 192.168.2.1

CISCO-ASA(config)#route dmz 192.168.3.0 255.255.255.0 192.168.3.1

CISCO-ASA(config)#route inside 10.0.0.0 255.0.0.0 192.168.1.1

CISCO-ASA(config)#route inside 20.0.0.0 255.0.0.0 192.168.2.1

CISCO-ASA(config)#route inside 30.0.0.0 255.0.0.0 192.168.3.1

CISCO-ASA(config)#exit



CISCO-ASA(config)#access-list traffic_outside permit icmp any any 
CISCO-ASA(config)#access-list traffic_dmz permit icmp any any 

CISCO-ASA(config)#access-group traffic_outside in interface outside
CISCO-ASA(config)#access-group traffic_dmz in interface dmz

CISCO-ASA(config)#object network inside-outside-nat
CISCO-ASA(config-network-object)#host 192.168.1.1
CISCO-ASA(config-network-object)#nat (inside,outside) static 110.1.1.1
CISCO-ASA(config-network-object)#exit

CISCO-ASA(config)#object network dmz-outside-nat
CISCO-ASA(config-network-object)#host 192.168.2.1
CISCO-ASA(config-network-object)#nat (dmz,outside) static 111.1.1.1
CISCO-ASA(config-network-object)#exit















CISCO-ASA#show nat

Auto NAT Policies (Section 2)

1 (dmz) to (outside) source static dmz-outside-nat 111.1.1.1

translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source static inside-outside-nat 110.1.1.1

translate_hits = 0, untranslate_hits = 0





{ ping PC 0 to PC 2 (inside to outside) }









{ ping PC 1 to PC 2 (DMZ to OUTSIDE)}






































{Now ping from PC 2 to SERVER (OUTSIDE to DMZ)}

















































By at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

What is Virtual Router Redundancy Protocol (VRRP)? How to configure Virtual Router Redundancy Protocol (VRRP)?

 Virtual Router Redundancy Protocol (VRRP) is a gateway redundancy networking protocol used to create a virtual gateway similar to HSRP . VR...