Friday, June 20, 2014

ASA_NAT




Scenario

1.       Inside host_A (192.168.0.2 - 254/24) in Inside zone can access internet with Auto-NAT (pool: 12.12.12.3 - 5 )
          Route: ASA -> Border_R -> ISP -> Webserver (50.1.1.10/24)

2.       When Inside host_B (192.168.0.3/24) in Inside zone access Border_R_2, the ip address must be translated with 12.12.12.6 (confirm by using telnet to Border_R_2)


3.       Webserver (172.16.0.10/24) in DMZ zone must use Manual-NAT (12.12.12.7/24) to give access from other zones.

Configuration:
interface GigabitEthernet0
 description Outside to Border_R
 nameif outside
 security-level 0
 ip address 12.12.12.2 255.255.255.0
!
interface GigabitEthernet2
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet4
 description DMZ to Servers
 nameif DMZ
 security-level 50
 ip address 172.16.0.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit intra-interface
object network Inside_192
 subnet 192.168.0.0 255.255.255.0
object network outside_pool
 range 12.12.12.3 12.12.12.5
object network inside_192
 subnet 192.168.0.0 255.255.255.0
object network Inhost-global-6add
 host 12.12.12.6
object network Inhost_B_to_R2
 host 192.168.0.3
object network R2
 host 12.12.12.10
object network dmz-webserver-real
 host 172.16.0.10
object network dmz_global
 host 12.12.12.7
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static Inhost_B_to_R2 Inhost-global-6add destination static R2 R2
!
object network inside_192
 nat (any,any) dynamic outside_pool
object network dmz-webserver-real
 nat (DMZ,any) static dmz_global
route outside 0.0.0.0 0.0.0.0 12.12.12.1 11
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside


NAT Configuration:

      



















Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)