staticnat

accesslist for accesing inside servers in internet

Object Network & nat are used for PAT configuration.

In 55X0 we will assign the names to physical interfaces insted of virtual interf
aces.

From version 8.3 cisco is being used network object as a part of Pat config.
interfaces
default route
Basic configuration of asa PAT for internet
cisco asa(config~if)# object network net- 192.168.106 - network object name
subnet 192.168.106.0 255.255.255.0 - type of network ob
ject here type is subnet
nat(inside,outside) dynamic interface - nat configuration
here it is dynamic nat config
mapping inside interface to outside interface. mapping a
dress is outside tell the firewall to pick ip from outside interface

static nat:-
We need to access our inernal web server from internet so we should confi
gure static nat
There are 3 steps for configuring staic nat:
1.Create a network object.
2.identify an intrnal host. this tells the ASA to idenfiy an server ip from outs
ide interface
3. create a staic nat statement- this tells asa to forward port 80 traffic for
the web server.
4.Build an ACL to allow traffic against the security Levels.
5. Aplly ACL to ouside interface.
commands:-
(config)#object network outside_to_inside_Web_server
(config-network-object)#host 192.168.102.5
nat(inside,outside) static interface service tcp 80 80
80 is source port number,80 destination port number.
ACL:- to permit the traffic against the securitylevels.
(config-network-object)# access list outside_to_inside_Web_server permit tcp any
host 192.168.102.5 eq www - 80
To Apply Access list to interface:
(config)# accessgroup outside_to_inside_Web_server in interface outside
in means inbound trafffic coming to the interface.

Nat for ASA different versions based on ios

1. 7.0,7.1,7.2
Nat control command is necessary to perform the nat.
Nat control: if we want to move from one interface to another interface it shoul
d be natted.
2. 8.0,8.1,8.2,8.3
optional
3. 8.4,8.5,8.6,9.0,9.1,9.2,9.3
nat control is not supported.

7.0,7.1,7.2,8.0,8.1,8.2,8.3
commands are differnt as compared to next higher versions.
static nat in these versions as:-
static (in,out) 10.1.1.1 12.1.1.1
global ip local ip
in 8.4 syntax as:
we will create network object
object network abc
host 12.1.1.1- local ip
exit
object network xyz
host 10.1.1.1 - global ip
exit

r1-12.1.1.1 12.1.1.2 ASA 23.1.1.1 r2- 23.1.1.2

100-inside 0-outside
we have two methods to perform static nat:-
1. we need to go to local one to perform static nat
object network abc
nat(in ,out ) static xyz : converts local ip to global ip.
exit
open the acl for icmp
access-list myacl permit icmp host source ip destination ip
accessgroup myacl in interface outside

lab:
object network abc
host 12.1.1.1- local ip
exit
we need to convert 12.1.1.1 to 101.1.1.1
object network abc
host 101.1.1.1- globa ip
exit
object network abc
nat(in ,out ) static xyz
exit
open the acl for icmp
access-list myacl permit icmp host 23.1.1.2 12.1.1.1
source destinaton
accessgroup myacl in interface outside
in 8.0 version we will open for the nat ip 101.1.1.1 ip address as destination
but from 8.4 version we will use real ip as destination that is 12.1.1.1

2nd method to perform static nat is

outside the object
(config)# nat (inside, outside) source static abc xyz

Dynamic nat:
multile ip to some ip address
12.1.1.0 254 hosts to 105.1.1.1 to 105.1.1.9
we should create an object as:
object network abc
subnet 12.1.1.0 255.255.255.0
object network xyz
range 105.1.1.1 105.1.1.9
object network abc
nat(in,out) dynamic xyz
exit
access-list myacl permit icmp host 23.1.1.2 host 12.1.1.1
accessgroup myacl in interface outside

PAT
Converting multiple ip to single ip
many to one.
object network abc
subnet 12.1.1.0 255.255.255.0
nat(in,out) dynamic interface or xyz
exit

2nd way:-
object network abc
subnet 12.1.1.0 255.255.255.0
object network xyz
host 111.1.1.1
exit
object network abc
nat(in,out) dynamic xyz
exit

static pat or xlate table

r1-12.1.1.1 12.1.1.2 ASA 23.1.1.1 r2- 23.1.1.2
100-inside 0-outside
object network abc
subnet 12.1.1.1
object network xyz
host 101.1.1.1
exit

if some one is hitting on the ip 101.1.1.1 with port no 2323 cwe convert this to
12.1.1.1 port 23
object network abc
nat(in,out) static xyz service tcp 23 2323
here the user is voming from outside so we create access list as
acces- list my acl permit tcp host 23.1.1.2 host 12.1.1.1 eq 23
we will open acl and port for real ip and real port

ACL in router
r1(config)# access-list 10 permit host 10.0.0.1
after this we go to the interface
r1(config-if)#ip acesss group 10 (in/out)
in or out depends on traffic is incoming or outgoing to the router.
IN ASA we wont go under the interface we already given name the interface.we ju
st call the name in global config itself
By Defalt icmp is not inspected. by explicitly writing an acl we can inspect icm
p
ping will also not happeen in higher security to lower security level.
to permit the traffic from r2 & r3
asa(config)# access-list allow_ping permit icmp any any
all the other traffic is denied beacuse of implict rules as like routers
we will bind the acl to outside interface.beacuse inside is already trusted-allo
wed.only on the outside interface ping is not happening
telnet is haapening because of inpection.tcp and udp is alraedy inspected.
asa(config)# access-group allow_ping in interface outside
in means direction into the network from outside.packet is coming inside on the
outside interface.
Output now router 2 can ping router 3 & danger router 3 also pings router2
asa(config)# access-list allow_ping permit icmp any any
this command will allow both echo reply and echo request this is danger accordin
g to security engineers
we need to specfiy coomand as from ping should be only to higher to lower as:
asa(config)# access-list allow_ping permit icmp any any echo_reply
so when we ping from router 2 to router3 when r2 requests r3 replies.if r3 is pi
nging it is an echo-request.echo request is not allowed.
show running config acl si used to verify the acl
it shows extended acl if we mention both source & destintion.
hit count means how times we pinged(hitcount=1) for one ping.the number of times
policy got fired is hit count
NAT in ASA after 8.3
before 8.3 natting inbig headache whey ecery packet has to natted if we want to
pass through ASA.
If there is not Natting no packet will be allowed we use to do zero nat or ident
ity nat(nattting same ip source & destination is same) for traffic where nat is
not required.
Because nat conriol is allowed and everypacket has to be natted.
lastly cisco came with, we can enable or disable nat control.
after that they illustated 3 approaches for nat.manual nat, auto nat ,manual nat
after auto nat

for manual nat we will create object first,object has real address and other obj
ect has mapped address.
we will translate 10.210.0.2 to 20.0.0.100, 20.0.0.101,20.0.0.102.
we will create an object:
2 types of ojects are there
1.network
2.service
asa(config)#object network real
asa(config-network-object)# give host or subnet if we many ip inside our oragani
zation go with subnet
asa(config-network-object)# host 10.210.0.2
create an mapped object
asa(config)#object network mapped
asa(config-network-object)#range 20.0.0.100 20.0.0.103
exit
Upto these all the types of nat commands are same:-
Now we create manual nat in global config mode;As:
1.asa(config)#nat (inside,outside) source dynamic real mapped
2.1.asa(config)#nat (inside,outside) source dynamic real intrface
if we purchased only one ip adresses then.interface is used
here the internal address is hidden so the r3 will reply to mapped adress only.o
ne to one
Auto NAT:-
we create nat inside the object is known as auto nat
asa(config)#object network real
we are already inside source so,
asa(config-network-object)# nat (inside,outside) dynamic mapped

ACL:-
to allow icmp
asa(config)# access-list P-ICMP extended permit icmp host 192.1.20.2 host 10.11.
1.1
asa(config)# accessgroup P-ICMP in interface outside
in8.3 and above we will write an nat and apply an acl
in 8.3 versions we will write real ip addredd in access list its not mapped ip a
dress.the acl is written to real addressses only
for ex: source real address and destination real address not the mapped adressse
s of natted interface.
Bind ACL to global interface:-