Because static translation always stays active, hosts from less secure networks can initiate communications to the statically translated local hosts, as long as the access list rules on the ASA permit such traffic
Recall that the following pieces of information are required every time you want to configure NAT on Cisco ASA :
- original source IP address (and port) in the packet
- interface where the original packet enters the ASA (ingress interface)
- interface where the packet will exit the ASA (egress interface)
- translated address (and, optionally, port) to insert into the packet
example of configuration (taken from Ciscopress):
In this example, we have 2 servers (172.16.0.5 and 172.16.0.10) located in a DMZ zone and need to be accessed from the outside via 2 distinct global IP addresses (209.165.200.229 and 209.165.200.228). Typing the following 2 lines of commands will allow the FTP server (172.16.0.10) be accessed via the global address 209.165.200.229 and the web server be accessed via the global address 209.165.200.228. Notice the order of thinks of this "static" command : in braket, we have first the zone name of where the FTP and web servers are located. Then the zone name of the source of the traffic (traffic is going to be originated from the outside). After the braket, followed the global IP address then the local address. Here the netmask here is 255.255.255.255 because we are dealing with a host's IP address (172.16.0.5)
(config)#static (DMZ,outside) 209.165.200.228 172.16.0.5 netmask 255.255.255.255
(config)#static (DMZ,outside) 209.165.200.229 172.16.0.10 netmask 255.255.255.255
No comments:
Post a Comment