Here is our base topology.
Our objective is to configure a 1-1 Static NAT and bidirectionally translate 10.1.1.254 <-> 204.11.72.1.
Let's get R2 configured with the IP and a default route.
R2#sh run int fast1/0
interface FastEthernet1/0
description connected to the inside interface of the ASA
ip address 10.1.1.254 255.255.255.0
duplex auto
speed auto
end
<!-- Set the default gateway to the inside interface of the ASA --!>
R2(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.1
Next let's get the R3 interface and route configured.
R3#sh run int fast1/0
interface FastEthernet1/0
description connected to the ASA outside interface
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
end
<!-- Add this so R3 has a route to 204.11.72.0/24 subnet --!>
R3(config)#ip route 204.11.72.0 255.255.255.0 192.168.2.1
Now let's get IPs, and NATs configured on the ASA.
ciscoasa(config)# int g0
ciscoasa(config-if)# description connected to inside
ciscoasa(config-if)# nameif inside-int
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0
ciscoasa(config-if)# interface g2
ciscoasa(config-if)# description connected to the outside interface
ciscoasa(config-if)# nameif outside-interface
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 192.168.2.1 255.255.255.0
ciscoasa(config-if)# exit
ciscoasa(config)# object network outside-webserver-ip
ciscoasa(config-network-object)# host 204.11.72.1
ciscoasa(config-network-object)# object network inside-webserver
ciscoasa(config-network-object)# host 10.1.1.254
ciscoasa(config-network-object)# nat (inside-int,outside-interface) static outside-webserver-ip
1) Add the IP to the inside interface
2) Add the IP to the outside interface
3) Create an network object and assign a public IP (outside-webserver-ip)
4) Create an network object and assign the inside IP (inside-webserver)
5) Create the nat statement that maps in the inside IP to the outside IP bidirectionally.
So at this point R3 should be able to ping 204.11.72.1 and R2 should be able to ping 192.168.2.2 and we will verify this using a few debug commands.
R2#ping 192.168.2.2
<!-- pinging the IP of R3 --!>
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/35/64 ms
<1-- debug on the ASA reveals that 10.1.1.254 (IP of R2) is translated to 204.11.72.1 --!>
ciscoasa# debug nat 255
debug nat enabled at level 255
ciscoasa# nat: translation - inside-int:10.1.1.254/2 to outside-interface:204.11.72.1/2
nat: untranslation - outside-interface:204.11.72.1/2 to inside-int:10.1.1.254/2
nat: untranslation - outside-interface:204.11.72.1/2 to inside-int:10.1.1.254/2
nat: untranslation - outside-interface:204.11.72.1/2 to inside-int:10.1.1.254/2
Now let's go in the reverse direction. Initiate connection to 204.11.72.1 from R3 (outside).
R3#ping 204.11.72.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.11.72.1, timeout is 2 seconds:
!!.!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/48/72 ms
<!-- debug on the ASA reveals that 204.11.72.1 is now being translated to 10.1.1.254 --!>
ciscoasa# nat: untranslation - outside-interface:204.11.72.1/0 to inside-int:10.1.1.254/0
nat: untranslation - outside-interface:204.11.72.1/0 to inside-int:10.1.1.254/0
nat: untranslation - outside-interface:204.11.72.1/0 to inside-int:10.1.1.254/0
nat: translation - inside-int:10.1.1.254/0 to outside-interface:204.11.72.1/0
Objective accomplished bidirectional translation between 10.1.1.254 <-> 204.11.72.1, however what if you wanted to translate only a handful of ports say for example just www/http traffic? This is where Static 1-1 NAT with Port translation is used and will be my next post so stay tuned.
Many more articles to come so stay tuned.
Please reshare/subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.
No comments:
Post a Comment