Wednesday, 1 May 2013

Configuring Network Object NAT in ASA 8.4

Network Object NAT
(ASA 8.4)
-----------------------------
Dynamic NAT 
The following example configures dynamic NAT that hides 192.168.2.0 network behind a range of
outside addresses 2.2.2.1-2.2.2.10:


ASA(config)# object network my-range-obj
ASA(config-network-object)# range 2.2.2.1 2.2.2.10
ASA(config)# object network my-inside-net
ASA(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic my-range-obj


Dynamic PAT
The following example configures dynamic PAT that hides the 192.168.2.0 network behind address
2.2.2.2:

ASA(config)# object network my-inside-net
ASA(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic 2.2.2.2


The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:
ASA(config)# object network my-inside-net
ASA(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic interface


Dynamic NAT with Dynamic PAT backup
The following example configures dynamic NAT with dynamic PAT backup. Hosts on inside network 10.76.11.0 are mapped first to the nat-range1 pool (10.10.10.10-10.10.10.20). After all addresses in the nat-range1 pool are allocated, dynamic PAT is performed using the pat-ip1 address (10.10.10.21). In the unlikely event that the PAT translations are also use up, dynamic PAT is performed using the outside interface address.

ASA(config)# object network nat-range1
ASA(config-network-object)# range 10.10.10.10 10.10.10.20
!pool of public IP address(Dynamic NAT)

ASA(config-network-object)# object network pat-ip1
ASA(config-network-object)# host 10.10.10.21
!single Public IP for PAT (dynamic PAT)

ASA(config-network-object)# object-group network nat-pat-grp
ASA(config-network-object)# network-object object nat-range1
ASA(config-network-object)# network-object object pat-ip1
!Object grouping of dynamic NAT and then dynamic PAT in order

ASA(config-network-object)# object network my_net_obj5
ASA(config-network-object)# subnet 10.76.11.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic nat-pat-grp interface
!private subnet and nat config: first NAT using object group(in order) if full use interface(outside) for PAT

Static NAT
The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside with DNS rewrite enabled.
ASA(config)# object network my-host-obj1
ASA(config-network-object)# host 1.1.1.1
ASA(config-network-object)# nat (inside,outside) static 2.2.2.2 dns

The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside using a mapped object.
ASA(config)# object network my-mapped-obj
ASA(config-network-object)# host 2.2.2.2
ASA(config-network-object)# object network my-host-obj1
ASA(config-network-object)# host 1.1.1.1
ASA(config-network-object)# nat (inside,outside) static my-mapped-obj


Static PAT
The following example configures static NAT with port translation for 1.1.1.1 at TCP port 21 to the
outside interface at port 2121.

ASA(config)# object network my-ftp-server
ASA(config-network-object)# host 1.1.1.1
ASA(config-network-object)# nat (inside,outside) static interface service tcp 21 2121


Identity NAT
The following example maps a host address to itself using an inline mapped address:
ASA(config)# object network my-host-obj1
ASA(config-network-object)# host 10.1.1.1
ASA(config-network-object)# nat (inside,outside) static 10.1.1.1

No comments:

Post a Comment