As already explained, Network address translation or NAT allows You to translate private to public addresses.
This tutorial explaines how to configure Nat on software 8.3 and newer. As many Cisco admins probably already know, newer Asa's have some changes and new possibilities, but configuration command syntax did not preserve older configuration style. One of those changes is NAT configuration.
Now it's possible to define objects, example network object type. This kind of objects can be used to define a host or subnet in the network, and then can act as a container to which we can apply all the NAT configurations for that host or object and share this mapped object across different dynamic NAT rules, if desired.
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. When the host accesses the destination network, Asa assigns an IP address from the mapped pool to the host. Here we'll configure translation of internal network to address of an outside interface:
We can also hide internal network behind a range of outside addresses, example 193.221.20.1 through 193.221.20.15:
The following example shows configuration for dynamic NAT with PAT as a backup solution. Internal addresses are translated to "my-nat-range" pool (193.221.20.1-193.221.20.14). Once all addresses in the "my-nat-range" are allocated, dynamic PAT is performed using the "my-pat-address" 193.221.20.15. In hardly imaginable case where all PAT translations are also used up, dynamic PAT will perform using the address of outside interface.
Static NAT
Static NAT also provides a way to translate a real address to a mapped address, but because the mapped address is the same for each consecutive connection, it allows bidirectional connection initiation, both to and from the host (if this connection is allowed with access-list).
This example shows 1:1 NAT where internal 192.168.40.15 address translates to 193.221.20.15:
We can also configure static NAT with port translation. For example address 192.168.40.100:21 TCP port 21 translates to the address of an outside interface at port 2121.
Identity NAT is simply translating an IP address to itself. In other words, it's a technique when we want to exclude a network from NAT. It is necessary for remote access and site-to-site VPN's, where you need to exempt the client traffic from NAT.
Identity Nat example (addresses are translated to itself):
To configure site-to-site VPN, in configuration we can include identity nat which avoids NAT translations from internal 192.168.40.0/24 network. This way packets that are originating from specified internal subnet will not be NAT translated. First we can define identity NAT object, after which we'll define internal network and assign identity NAT rule to it:
Comments
Post a Comment