Thursday, April 20, 2017

Static inside NAT On Cisco ASA

Static inside NAT creates permanent, fixed translations between a local address and a global address even after reboots and have no idle timer leading to expiration

Because static translation always stays active, hosts from less secure networks can initiate communications to  the statically translated local hosts, as long as the access list rules on the ASA permit such traffic

Recall that the following pieces of information are required every time you want to configure NAT on Cisco ASA :
  •  original source IP address (and port) in the packet
  • interface where the original packet enters the ASA (ingress interface)
  • interface where the packet will exit the ASA (egress interface)
  •  translated address (and, optionally, port) to insert into the packet
Do you remimber the "nat" and the "global" commands used to configure PAT on Cisco ASA ? well, static inside NAT is different, in that all the above required pieces of information are defined as a single command

example of configuration (taken from Ciscopress):


In this example, we have  2 servers (172.16.0.5 and 172.16.0.10) located in a DMZ zone and need to be accessed from the outside via 2 distinct global IP addresses (209.165.200.229 and 209.165.200.228). Typing the following 2 lines of commands will allow the FTP server (172.16.0.10) be accessed via the global address 209.165.200.229 and the web server be accessed via the global address 209.165.200.228. Notice the order of thinks of this "static" command : in braket, we have first the zone name of where the FTP and web servers are located. Then the zone name of the source of the traffic (traffic is going to be originated from the outside). After the braket, followed the global IP address then the local address. Here the netmask here is 255.255.255.255 because we are dealing with a host's IP address (172.16.0.5)

(config)#static (DMZ,outside) 209.165.200.228 172.16.0.5 netmask 255.255.255.255
(config)#static (DMZ,outside) 209.165.200.229 172.16.0.10 netmask 255.255.255.255



No comments:

Post a Comment