![]() Note that this translation will be active for as long as the connection is active when the Telnet session is ended, the translation will be removed (after the timeout). We can use the show xlate command on the ASA to see this translation: The best way to test our configuration will be to open a Telnet connection from INSIDE-PC to DMZ-RTR and use the who command to check our IP address:Īs you can see, the real IP address of INSIDE-PC (10.0.0.100) was translated to one of the addresses in the pool of mapped addresses (172.16.1.153) when it initiated the Telnet connection. Therefore, we can read the NAT configuration above as follows: w hen IP addresses configured under the REAL_INSIDE network object are going from the inside interface to the dmz interface, they should be dynamically translated to the MAPPED_INSIDE network object. Tip: Since you configure NAT under the ‘real’ network object, it is usually faster (less typing) to first create the ‘mapped’ network object and then create the ‘real’ network object and finally apply the NAT configuration. The difference between dynamic and static translation is that traffic initiation in one is unidirectional while the other can be bidirectional. Finally, we specified the “dynamic” keyword to tell the ASA that this should be a dynamic translation versus a static translation. Secondly, notice that we specified the real (‘inside’) and mapped (‘dmz’) interfaces. First, notice that Network Object NAT is configured under a network object (hence the name) – it is configured under the network object that defines the real addresses. There are a couple of things to discuss in the configuration above. Finally, we configure our NAT rule to tie both of them together. how the inside network should be seen on the ‘dmz’). Then, we will also create a network object for the mapped addresses (i.e. So how do we configure it? First, we need to create a network object for the real addresses (i.e. Dynamic NAT is suitable in this kind of scenario. ![]() However, for security reasons, we don’t want to reveal the real IP addresses of those ‘inside’ users to the DMZ. Some users on the ‘inside’ will frequently need to access some servers in the ‘dmz’. Imagine you have a network with three sides as in our lab setup: inside, dmz and outside. Let’s talk about a real world application of Dynamic NAT. Note: “Real” typically means the IP address(es) of a host/network before translation while “mapped” means the IP address(es) after translation (as seen on the destination network). Usually, the mapped addresses are fewer (in number) than the real addresses however, this is based on your traffic expectation. Note: All devices shown in the lab setup are simulated in GNS3 and the INSIDE-PC is a router because it just makes testing easier.ĭynamic NAT allows translating a group of real addresses to a pool of mapped addresses. I used GNS3 in this article and my lab setup is as shown below: To keep things simple, we will begin with Network Object NAT and then consider Twice NAT in another article. We will now begin looking at different NAT types and see how they can be configured on the Cisco ASA. However, if you will be doing basic NAT operations, Network Object NAT is easier and recommended by Cisco. Starting with ASA version 8.3, NAT can be implemented in two ways on the Cisco ASA:Īpart from the way they are configured, the simplest way to understand the difference between these two forms of NAT implementation is that Twice NAT supports more complex NAT scenarios than Network Object NAT.įor example, if you want to translate an IP address to IP_A when going to Destination_A but the same IP address to IP_B when going to Destination_B, then you need Twice NAT. Side talk: don’t tell the customer but I once downgraded a customer’s firewall from ASA version 8.3 to 8.2 just so I didn’t have to worry about the NAT syntax change. ![]() These are not formal definitions but if you are familiar with the Cisco ASA, then you know things changed drastically between ASA version 8.2 and 8.3, one of them being NAT. The same way we have before Christ (BC) and anno Domini (AD) when talking about calendar dates, we have two main “eras” when talking about the Cisco ASA: pre-8.3 and 8.3+. The current Cisco ASA models (now with FirePOWER services) include:Īlthough NAT can be defined more as a functional feature (translating a private IP address space to a smaller public IP address space), it can also be seen as a security feature (hiding real IP addresses). In the simplest form, the Adaptive Security Appliance ( ASA) is Cisco’s implementation of a firewall and one of the fundamental functions of a firewall is to sit between internal and external nodes and provide security. I will assume the readers of this article know what NAT and the Cisco ASA are, so I will just give an overview. In this article, we will be looking at Network Address Translation ( NAT) on the Cisco ASA.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |