For an ASA to perform translations, 4 pieces of information are required (if of the following 4 parameters are missing, the ASA will not perform address translation) :
- original source IP address (and port) in the packet
- interface where the original packet enters the ASA (ingress interface)
- interface where the packet will exit the ASA (egress interface)
- translated address (and, optionally, port) to insert into the packet
- dynamic NAT (use for client systems when you have a large enough pool of available global IP addresses to support assignment to clients)
- dynamic PAT (use for client systems when your global pool contains fewer IP addresses than there are hosts requiring translation and you therefore must perform assignment in a many-to-one manner
- static NAT (use for server systems that require inbound (or bidirectional) connectivity over NAT and you have enough global IP addresses to allow each servers its specific, fixed address)
- static PAT (use for server systems that require only inbound connectivity over NAT and you do not have enough global IP address to allow each server its own specific, fixed address. Also use it when a single global IP address is shared by many internal servers, each supporting applications on different listening ports)
- Policy NAT (use when you need translation to depend ACL for specific traffic flows
EXAMPLE 1 ON DYNAMIC PAT FROM CISCOPRESS
(config)#nat (inside) 5 10.0.0.0 255.255.255.0 tcp 0 0 udp 0
(config)#nat (DMZ) 5 172.16.0.0 255.255.255.0 tcp 0 0 udp 0
(config)#global (DMZ) 5 172.16.0.254 netmask 255.255.255.255
(config)#global (outside) 5 interface
This example has :
- 2 "nat" commands are used
- 2 "global commands are used
- The 4 lines are mapped toghether using NAT ID 5
"global" command is used to specify the translated IP address or the mapped IP address (here traffic going to the DMZ will use as translated IP address 172.16.0.254 AND traffic going to external networks will use as translated IP address the one in the outside interface)
"5" the number 5 in red color is the NAT ID and it's used to bind those 4 lines of commands together
"tcp 0 0 udp 0" These tcp 0 0 and udp 0 set the connection limits. TCP 0 0 : the first 0 represents TCP-MAX-CONNECTION and 0 means unlimited tcp connections. The second 0 of the TCP 0 0 represents TCP embryonic connection (which is in the TCP connection in process of being established) and 0 means unlimited tcp embryonic connections. UDP 0 represent the number of udp connections and 0 means unlimited UDP connections. Note that it's optional to specify these "tcp 0 0 udp 0" when configuring.
EXAMPLE 2 ON DYNAMIC NAT AND PAT TAKEN FROM CISCO WEBSITE
(config)#nat (inside) 1 10.1.2.0 255.255.255.0
(config)#nat (dmz) 1 10.1.1.0 255.255.255.0
(config)#global (outside) 1 209.165.201.3-209.165.201.10
(config)#global (dmz) 1 10.1.1.23
This example has :
- 2 "nat" commands are used
- 2 "global" commands are used
- The 4 lines are mapped togheter using the NAT ID 1
In these example, translation is possible when traffic comes from the inside interface (subnet 10.1.2.0) to the externale networks OR to the dmz zone AND from the dmz interface (subnet 10.1.1.0) to the external networks. On the outside interface, we have a pool of translated IP address (209.165.201.3-209.165.201.4). On the DMZ interface, the translated IP address is 10.1.1.23
------------------------------------------------------------------------------------------------------
I will be honored to read your comment about this post. Please feel free to leave one ☺ And if you have a Cisco IOS, Firewall ASA Or Mircrorsoft server infrastructure topic you would like me to add in this blog, i will be more than happy to know which one ☺
-------------------------------------------------------------------------------------------------------
No comments:
Post a Comment