NAT (Network Address Translation) is used to translate private IP addresses into public IP addresses. NAT changes the source and destination IP addresses and ports. NAT Address translation reduces the need for IPv4 public addresses and it also hides private network address ranges. NAT generally operates on a router or firewall. previously we configure SNAT, DNAT, and PAT on the router now we are going to configure PAT on the ASA firewall.
Port Address Translation (PAT)- This NAT is also known as dynamic NAT overload. PAT allows thousands of users can access to the internet using only one real global registered public IP address. PAT maps thousands to one by using ports. PAT is the only reason or solution we have not run out of valid IP addresses on the internet. This PAT is cost-effective because of single public IP is used; the port number is used to distinguish the traffic means which traffic belongs to which IP address.
let's configure PAT on the ASA firewall:
Topology: -
- configure the topology as per the diagram
- configure the IP addresses as per the topology
- configure the Access-list permit ICMP traffic from lower level to higher level.
- configure access-list on the interface
- configure network object
- configure PAT statement
(On PC 1)
PC1> ip 192.168.1.10 255.255.255.0 192.168.1.1
Checking for duplicate addresses...
PC1 : 192.168.1.10 255.255.255.0 gateway 192.168.1.1
(On PC2)
PC2> ip 192.168.2.10 255.255.255.0 192.168.2.1
Checking for duplicate addresses...
PC1 : 192.168.2.10 255.255.255.0 gateway 192.168.2.1
(From PC 2)
(As you can see, we can ping outside from inside and DMZ)
(from ASA)
ciscoasa# show xlate
10 in use, 15 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
ICMP PAT from DMZ:192.168.2.10/2689 to OUTSIDE:101.1.1.1/61018 flags ri idle 0:00:02 timeout 0:00:30
ICMP PAT from DMZ:192.168.2.10/2433 to OUTSIDE:101.1.1.1/25249 flags ri idle 0:00:03 timeout 0:00:30
ICMP PAT from DMZ:192.168.2.10/2177 to OUTSIDE:101.1.1.1/28580 flags ri idle 0:00:04 timeout 0:00:30
ICMP PAT from DMZ:192.168.2.10/1921 to OUTSIDE:101.1.1.1/6494 flags ri idle 0:00:05 timeout 0:00:30
ICMP PAT from DMZ:192.168.2.10/1665 to OUTSIDE:101.1.1.1/14856 flags ri idle 0:00:06 timeout 0:00:30
ICMP PAT from INSIDE:192.168.1.10/2177 to OUTSIDE:101.1.1.1/21203 flags ri idle 0:00:05 timeout 0:00:30
ICMP PAT from INSIDE:192.168.1.10/1665 to OUTSIDE:101.1.1.1/1845 flags ri idle 0:00:06 timeout 0:00:30
ICMP PAT from INSIDE:192.168.1.10/1409 to OUTSIDE:101.1.1.1/63559 flags ri idle 0:00:07 timeout 0:00:30
ICMP PAT from INSIDE:192.168.1.10/897 to OUTSIDE:101.1.1.1/56354 flags ri idle 0:00:08 timeout 0:00:30
ICMP PAT from INSIDE:192.168.1.10/385 to OUTSIDE:101.1.1.1/51849 flags ri idle 0:00:08 timeout 0:00:30
ciscoasa# show nat pool
UDP PAT pool INSIDE, address 0.0.0.0, range 1-511, allocated 0
UDP PAT pool INSIDE, address 0.0.0.0, range 512-1023, allocated 0
UDP PAT pool INSIDE, address 0.0.0.0, range 1024-65535, allocated 4
UDP PAT pool DMZ, address 192.168.2.1, range 1-511, allocated 0
UDP PAT pool DMZ, address 192.168.2.1, range 512-1023, allocated 0
UDP PAT pool DMZ, address 192.168.2.1, range 1024-65535, allocated 4
UDP PAT pool OUTSIDE, address 0.0.0.0, range 1-511, allocated 0
UDP PAT pool OUTSIDE, address 0.0.0.0, range 512-1023, allocated 0
UDP PAT pool OUTSIDE, address 0.0.0.0, range 1024-65535, allocated 4
ICMP PAT pool OUTSIDE, address 101.1.1.1, range 1-511, allocated 0
ICMP PAT pool OUTSIDE, address 101.1.1.1, range 512-1023, allocated 0
ICMP PAT pool OUTSIDE, address 101.1.1.1, range 1024-65535, allocated 0
{thank you so much for visiting, please watch our YouTube videos)
https://youtube.com/@internetworkss
No comments:
Post a Comment