Вы находитесь на странице: 1из 11

Configuring Manual NAT on Cisco ASA 8.

3 and Later
Posted on Novem ber 11, 2012 by Derrick

In this post, Im going to walk through the configuration of Manual NAT on Cisco 8.3 and later. In my previous post, I walked through the configuration of Auto NAT on the ASA. Ill use the same topology that I left off with in my previous post to demonstrate Manual NAT:

What is Manual NAT and why is it necessary? Manual NAT is the configuration of a NAT rule using nat statements while not configuring directly under an object within the ASA. Its necessary because the ASAs Auto NAT on ly allows the configuration of NAT based on the source address and not the destination. In some cases, you may want to use a different mapped address depending on where the destination is. This is mostly common with VPN connections. Other use cases may be if you have a partner network that will only allow

traffic from you coming from a specific address or addresses. In this case, youd want to use Manual NAT. In the following example, were going to configure our INSIDE network to use Manual NAT. The inside subnet will be translated to the IP address of 181.181.181.13 when it tries to reach the remote server 144.3.0.1. All other connections from the inside subnet will use the Auto NAT rule currently configured (Dynamic PAT) and be translated accordingly. Heres a look at our current configuration:
ASA-8dot4(config)# sh run object object network PUB-ADDRESSES range 181.181.181.4 181.181.181.6 object network INSIDE-SUBNET subnet 10.10.10.0 255.255.255.0 object network DMZ-FTPSERVER host 172.16.10.44 object network DMZ-WWWSERVER host 172.16.10.22 ASA-8dot4(config)# sh run nat ! object network INSIDE-SUBNET nat (inside,outside) dynamic interface object network DMZ-FTPSERVER nat (dmz,outside) static 181.181.181.8 object network DMZ-WWWSERVER nat (dmz,outside) static 181.181.181.9

ASA-8dot4(config)# sh nat detail

Auto NAT Policies (Section 2) 1 (dmz) to (outside) source static DMZ-WWWSERVER 181.181.181.9 translate_hits = 0, untranslate_hits = 1 Source - Origin: 172.16.10.22/32, Translated: 181.181.181.9/32 2 (dmz) to (outside) source static DMZ-FTPSERVER 181.181.181.8 translate_hits = 0, untranslate_hits = 4 Source - Origin: 172.16.10.44/32, Translated: 181.181.181.8/32 3 (inside) to (outside) source dynamic INSIDE-SUBNET interface translate_hits = 39, untranslate_hits = 0 Source - Origin: 10.10.10.0/24, Translated: 181.181.181.1/28 ASA-8dot4(config)#

In the display above, notice the Auto NAT rules are in (Section 2) of the show nat detail. Section 1 of the show nat detail will be seen once we configure Manual NAT. Manual NAT rules are placed in Section 1 of the NAT table unless specified by using the after-auto keyword. To configure Manual NAT, we first create a network object for the destination address:
ASA-8dot4(config)# object network PARTNER-SERVER ASA-8dot4(config-network-object)# host 144.3.0.1 ASA-8dot4(config-network-object)# exit ASA-8dot4(config)#

Next we configure an object for the address in which our Inside subnet will be translated to. Well use 181.181.1 81.13:

ASA-8dot4(config)# object network TRANSLATED-IP ASA-8dot4(config-network-object)# host 181.181.181.13 ASA-8dot4(config-network-object)# exit ASA-8dot4(config)#

We now configure our manual NAT rule:


ASA-8dot4(config)# nat (inside,outside) source dynamic INSIDE-SUBNET TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER ASA-8dot4(config)# sh run nat nat (inside,outside) source dynamic INSIDE-SUBNET TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER ! object network INSIDE-SUBNET nat (inside,outside) dynamic interface object network DMZ-FTPSERVER nat (dmz,outside) static 181.181.181.8 object network DMZ-WWWSERVER nat (dmz,outside) static 181.181.181.9 ASA-8dot4(config)#

We can now take a look at our NAT Table:


ASA-8dot4(config)# sh nat detail Manual NAT Policies (Section 1) 1 (inside) to (outside) source dynamic INSIDE-SUBNET TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER

translate_hits = 0, untranslate_hits = 0 Source - Origin: 10.10.10.0/24, Translated: 181.181.181.13/32 Destination - Origin: 144.3.0.1/32, Translated: 144.3.0.1/32

Auto NAT Policies (Section 2) 1 (dmz) to (outside) source static DMZ-WWWSERVER 181.181.181.9 translate_hits = 0, untranslate_hits = 1 Source - Origin: 172.16.10.22/32, Translated: 181.181.181.9/32 2 (dmz) to (outside) source static DMZ-FTPSERVER 181.181.181.8 translate_hits = 0, untranslate_hits = 4 Source - Origin: 172.16.10.44/32, Translated: 181.181.181.8/32 3 (inside) to (outside) source dynamic INSIDE-SUBNET interface translate_hits = 39, untranslate_hits = 0 Source - Origin: 10.10.10.0/24, Translated: 181.181.181.1/28 ASA-8dot4(config)#

In the display above, we notice that we now have a rule in Section 1 of the NAT table. Also notice there are no translated_hits up to this point. We will now test it by first pinging the PARTNER-SERVER (144.3.0.1) and then well attempt to telnet to the server from PC1.
PC1# PC1#ping 144.3.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 144.3.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/25/52 ms PC1#telnet 144.3.0.1 Trying 144.3.0.1 ... Open

User Access Verification

Username: networkingnut Password: INTERNET#sh tcp brief TCB 6573C444 Local Address 144.3.0.1.23 Foreign Address 181.181.181.13.32572 (state) ESTAB

INTERNET#who Line 0 con 0 * 98 vty 0 User Host(s) idle networking idle Idle 00:00:39 00:00:00 181.181.181.13 Location

Interface

User

Mode

Idle

Peer Address

INTERNET# INTERNET#exit

[Connection to 144.3.0.1 closed by foreign host] PC1#

As you can see from the above display, we were successful with our ping. In addition, we were able to telnet to the Partner Server and perform a few commands to prove that we were connecting via the IP address 181.181.181.13. We can take a look from the ASA to see the translated hits went from 0 to 6 (5 hits for the ping and 1 hit for the telnet session). We can also take a look at our translation table that shows the translation from the inside host 10.10.10.11 to 181.181.181.13:
ASA-8dot4(config)# sh nat detail Manual NAT Policies (Section 1) 1 (inside) to (outside) source dynamic INSIDE-SUBNET TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER translate_hits = 6, untranslate_hits = 0 Source - Origin: 10.10.10.0/24, Translated: 181.181.181.13/32 Destination - Origin: 144.3.0.1/32, Translated: 144.3.0.1/32

Auto NAT Policies (Section 2) 1 (dmz) to (outside) source static DMZ-WWWSERVER 181.181.181.9 translate_hits = 0, untranslate_hits = 1 Source - Origin: 172.16.10.22/32, Translated: 181.181.181.9/32 2 (dmz) to (outside) source static DMZ-FTPSERVER 181.181.181.8

translate_hits = 0, untranslate_hits = 4 Source - Origin: 172.16.10.44/32, Translated: 181.181.181.8/32 3 (inside) to (outside) source dynamic INSIDE-SUBNET interface translate_hits = 39, untranslate_hits = 0 Source - Origin: 10.10.10.0/24, Translated: 181.181.181.1/28 ASA-8dot4(config)# sh xlate 3 in use, 5 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice NAT from dmz:172.16.10.22 to outside:181.181.181.9 flags s idle 173:27:07 timeout 0:00:00 NAT from dmz:172.16.10.44 to outside:181.181.181.8 flags s idle 173:12:15 timeout 0:00:00 TCP PAT from inside:10.10.10.11/22628 to outside:181.181.181.13/32572 flags ri idle 0:00:08 timeout 0:00:30 ASA-8dot4(config)#

Our next test for Manual NAT is to verify that the inside host (10.10.10.11) will be translated using our Dynamic PAT rule in place when going to any other address aside from our Partner Server:
PC1# PC1#telnet 144.2.0.1 Trying 144.2.0.1 ... Open

User Access Verification

Username: networkingnut Password: INTERNET#sh tcp brief TCB 6565CEBC 6573C444 Local Address 144.3.0.1.23 144.2.0.1.23 Foreign Address 181.181.181.13.32572 181.181.181.1.15854 (state) TIMEWAIT ESTAB

INTERNET#exit

[Connection to 144.2.0.1 closed by foreign host] PC1#

As you can see from the display above, the ESTAB connection is the translation from our Dynamic PAT rule. Lastly, Ill show an example of adding a Manual NAT rule to Section 3 of the NAT table:
ASA-8dot4(config)# object network NEW-TRANSLATED-IP ASA-8dot4(config-network-object)# host 181.181.181.14 ASA-8dot4(config-network-object)# exit ASA-8dot4(config)# nat (inside,any) after-auto source dynamic INSIDE-SUBNET NEW-TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER ASA-8dot4(config)# sh run nat nat (inside,outside) source dynamic INSIDE-SUBNET TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER

! object network INSIDE-SUBNET nat (inside,outside) dynamic interface object network DMZ-FTPSERVER nat (dmz,outside) static 181.181.181.8 object network DMZ-WWWSERVER nat (dmz,outside) static 181.181.181.9 ! nat (inside,any) after-auto source dynamic INSIDE-SUBNET NEW-TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER ASA-8dot4(config)# sh nat detail Manual NAT Policies (Section 1) 1 (inside) to (outside) source dynamic INSIDE-SUBNET TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER translate_hits = 7, untranslate_hits = 0 Source - Origin: 10.10.10.0/24, Translated: 181.181.181.13/32 Destination - Origin: 144.3.0.1/32, Translated: 144.3.0.1/32

Auto NAT Policies (Section 2) 1 (dmz) to (outside) source static DMZ-WWWSERVER 181.181.181.9 translate_hits = 0, untranslate_hits = 1 Source - Origin: 172.16.10.22/32, Translated: 181.181.181.9/32

2 (dmz) to (outside) source static DMZ-FTPSERVER 181.181.181.8 translate_hits = 0, untranslate_hits = 4 Source - Origin: 172.16.10.44/32, Translated: 181.181.181.8/32 3 (inside) to (outside) source dynamic INSIDE-SUBNET interface translate_hits = 40, untranslate_hits = 0 Source - Origin: 10.10.10.0/24, Translated: 181.181.181.1/28

Manual NAT Policies (Section 3) 1 (inside) to (any) source dynamic INSIDE-SUBNET NEW-TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER translate_hits = 0, untranslate_hits = 0 Source - Origin: 10.10.10.0/24, Translated: 181.181.181.14/32 Destination - Origin: 144.3.0.1/32, Translated: 144.3.0.1/32 ASA-8dot4(config)#

- See more at: http://www.networkingnut.net/configuring-manual-nat-on-cisco-asa8-3-andlater/#sthash.PAlGhmgf.dpuf

Вам также может понравиться