Cisco ASA Firewall NAT

Source: Internet
Author: User

Experimental topology

Software version GN3 0.8.6 ASA image 8.0 (2)

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/76/D9/wKioL1ZdmSGAvspoAABLsjqDXwk949.png "title=" 9qzzvef@]278 ' U@5uoyg) 0m.png "alt=" Wkiol1zdmsgavspoaablsjqdxwk949.png "/>


Experimental environment


R1 and R2 Simulation company intranet, R3 analog Internet equipment. ASA as a company export, implementing NAT address translation


Experimental requirements


Doing dynamic NAT on the ASA to convert the address of the R1 loopback 0 Network segment


Make dynamic pat on ASA implement address translation for R1 loopback 1 segment


Do a static NAT implementation on the ASA to the R2 loopback 0 address by line conversion


the static PAT implementation on the ASA maps the 23 port of the R2 f0/0 to the 23 port of the 218.1.1.1 address


Address planning


R1 Loopback 0 IP:192.168.10.1/24

R1 Loopback 1 ip:172.16.1.1/24

R1 f0/0 ip:11.0.0.2/24

R2 Loopback 0 IP:192.168.20.1/24

R2 f0/0 ip:12.0.0.2/24

R3 f0/0 ip:13.0.0.3/24


The configuration is as follows:

Some basic configuration of routers there's no explanation here.


R1 configuration:

R1 (config) #int f0/0

R1 (config-if) #ip add 11.0.0.2 255.255.255.0

R1 (config-if) #no shut

R1 (config-if) #int Loo 0

R1 (config-if) #ip add 192.168.10.1 255.255.255.0

R1 (config-if) #int Loo 1

R1 (config-if) #ip add 172.16.1.1 255.255.255.0

R1 (config-if) #exit

R1 (config) #ip Route 0.0.0.0 0.0.0.0 11.0.0.1


R2 configuration:

R2 (config) #line vty 0 4

R2 (config-line) #password abc123

R2 (Config-line) #login

R2 (Config-line) #exit

R2 (config) #ip Route 0.0.0.0 0.0.0.0 12.0.0.1

R2 (config-if) #ip add 12.0.0.2 255.255.255.0

R2 (config-if) #no shut

R2 (config-if) #int Loo 0

R2 (config-if) #ip add 192.168.20.1 255.255.255.0


R3 configuration:

R3 (config) #int f0/0

R3 (config-if) #ip add 13.0.0.3 255.255.255.0

R3 (config-if) #no shut


Dynamic NAT for R1 's loopback 0 interface


ASA1 configuration:

ASA1 (config) # int e0/0

ASA1 (config-if) # Nameif inside //define Interface name

Info:security level for ' intside ' set to ' default '.

ASA1 (config-if) # IP Add 11.0.0.1 255.255.255.0

ASA1 (config-if) # no shut

ASA1 (config-if) # exit

ASA1 (config) # int E0/1

ASA1 (config-if) # Nameif DMZ

Info:security level for ' DMZ ' set to 0 by default.

ASA1 (config-if) # IP Add 12.0.0.1 255.255.255.0

ASA1 (config-if) # Security-level //Configure interface Security level

ASA1 (config-if) # no shut

ASA1 (config-if) # int E0/2

ASA1 (config-if) # Nameif outside

Error:name "Outside" have been assigned to interface ethernet0/0

ASA1 (config-if) # IP Add 13.0.0.1 255.255.255.0

ASA1 (config-if) # no shut

ASA1 (config-if) # exit

ASA1 (config) # route inside 192.168.10.0 255.255.255.0 11.0.0.2

ASA1 (config) # route inside 172.16.1.0 255.255.255.0 11.0.0.2 //Configure static routes to the loopback port

ASA1 (config) # route DMZ 192.168.20.0 255.255.255.0 12.0.0.2

ASA1 (config) # nat (inside) 1 192.168.10.0 255.255.255.0 //define list 1,inside port to convert address

ASA1 (config) # Global (outside) 1 200.1.1.10-200.1.1.20 netmask 255.255.255.0

Configure the public address pool range

ASA1 (config) # access-list permit ICMP Any any//This allows all ICMP in order to be lazy


Add a backhaul route to the R3 and turn on debug

R3#debug IP ICMP

R3#conf T

R3 (config) #ip Route 200.1.1.0 255.255.255.0 13.0.0.1


R1 Loopback 0 Ping R3 test

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/76/DB/wKiom1Zdp-zyRBF2AABBtWTvULQ158.png "title=" Og{yt ( (g4x$5mdlbc]7b@2q.png "alt=" Wkiom1zdp-zyrbf2aabbtwtvulq158.png "/>

From the debug information of R3, we can see that the NAT conversion succeeded.


650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/76/DB/wKiom1ZdqHPxz65SAABQUX_CElI012.png "title=" HETYC} YTHPXJ (%xv@b0$r2r.png "alt=" Wkiom1zdqhpxz65saabqux_celi012.png "/>



Pat on the ASA for the R1 Loopback 1 interface


ASA1 (config) # nat (inside) 2 172.16.1.0 255.255.255.0

ASA1 (config) # Global (outside) 2 interface


Ping R3 test with R1 's loopback 1


650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/76/DC/wKiom1ZdqoDTv9xdAAA_zqj56jg789.png "title=" (mg${b %5%%tjku5m7k3 ' $41.png "alt=" Wkiom1zdqodtv9xdaaa_zqj56jg789.png "/>

View the debug information on the R3 and discover that the conversion succeeded to an external gateway address


650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/76/DB/wKioL1Zdq0Ky6TMMAABKc6Lt9UM991.png "title=" UD78RXGUDVM ' 6qj$ (X} (6ot.png "alt=" Wkiol1zdq0ky6tmmaabkc6lt9um991.png "/>


Loopback 0 Doing the R2 on the ASA makes a static NAT, converted to 222.222.222.222


ASA1 (config) # static (dmz,outside) 222.222.222.222 192.168.20.1 //configuration will 192.168.20.1 this

Address is converted to 222.222.222.222, note that the public address is written in front


Make a backhaul route on the R3


R3 (config) #ip Route 222.222.222.222 255.255.255.255 13.0.0.1


Ping the 13.0.0.3 test on R2


650) this.width=650, "src=" Http://s4.51cto.com/wyfs02/M00/76/DB/wKioL1ZdrDnhuGzXAABDIatzSug738.png "title=") 2X ' Rk6dmsyln7wf4i ' [fx4.png ' alt= ' wkiol1zdrdnhugzxaabdiatzsug738.png '/>

View debug information on R3 and find the conversion successful


650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/76/DB/wKioL1ZdrIrBP1t_AABPB9rWGqU870.png "title=" A_ 52uo8{tlvko[{a~ww%s49.png "alt=" Wkiol1zdrirbp1t_aabpb9rwgqu870.png "/>


Do a static pat on the ASA, map the port of R2 's f0/0 23 to port 23 of 218.1.1.1


ASA1 (config) # static (dmz,outside) TCP 218.1.1.1 telnet 12.0.0.2 telnet

Configure 12.0.0.2 of the 23 port map to 218.1.1.1 this address of 23 port, the public address to write in front

ASA1 (config) # access-list permit TCP host 13.0.0.3 host 218.1.1.1 eq 23

Defining an ACL allows 13.0.0.3 to telnet to 218.1.1.1, since the previous 110 has been applied here on the interface and omitted


Make a backhaul route on the R3


R3 (config) #ip Route 218.1.1.1 255.255.255.255 13.0.0.1


Telnet 218.1.1.1 on R3 to verify that you can map to R2

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/76/DC/wKiom1Zdrd2SCLZrAAAmdU1IUOg711.png "title=" pmy ( Doni3[ck}2oaw3gx328.png "alt=" Wkiom1zdrd2sclzraaamdu1iuog711.png "/>




Summarize:


Dynamic NAT is many-to-many and defines an address pool. Address pool has a few addresses can have how many addresses on the public network


Dynamic Pat is a one-to-many, so that all private network addresses are reused an address to the public network


Static NAT is a one-to-none, a private network address specifies a public address


Static Pat is a port mapping that maps a port of a public address to an address on a private network



This article is from the "Sunj" blog, make sure to keep this source http://sunjie123.blog.51cto.com/1263687/1718693

Cisco ASA Firewall NAT

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.