TCP Ping on ASA
can be used to test if the specified port is opened at destination IP
ping tcp x.x.x.x 22
ping tcp x.x.x.x 22
For IOS 8.2 and older
Dynamic nat, pat, static nat, identity nat
nat (inside) 1 10.0.0.0 255.255.255.0 (creation of NAT group id 1 for 10./24 subnet coming in from inside)
global (outside) 1 192.168.1.51-192.168.1.100 (if group 1 traffic is going outside, map IP to )
global (outside) 1 192.168.1.101 (if group 1 traffic is going outside, map IP to 1.101; PAT )
global (outside) 1 192.168.1.51-192.168.1.100 (if group 1 traffic is going outside, map IP to )
global (outside) 1 192.168.1.101 (if group 1 traffic is going outside, map IP to 1.101; PAT )
static (dmz(real/incoming),
outside(mapped/outgoing)) 192.168.1.175(mapped IP) 172.16.0.5(real IP)
static (dmz(real), inside(mapped)) 172.16.0.6(mapped IP) 172.16.0.6(original IP) – identity NAT
static (dmz(real), inside(mapped)) 172.16.0.6(mapped IP) 172.16.0.6(original IP) – identity NAT
NAT 0 – do not translate if traffic matches the
specified access list
Access-list NONAT permit ip (source net to dest net)
nat (inside) 0 access-list NONAT – 0 is reserved for NAT 0
nat (inside) 0 access-list NONAT – 0 is reserved for NAT 0
-------------------------------------------------------------------------------------------------
http://www.tunnelsup.com/nat-for-cisco-asas-version-8-3/
NAT (IOS 8.3, 8.4 and newer)
The 3 sections of NAT
1.
Manual NAT
2.
Auto NAT
3.
Manual NAT (detailed)
If no NAT rule is hit for the traffic, traffic will be just forwarded
as it is.
Auto/Object NAT
Dynamic NAT
object network inside_10
subnet 10.0.0.0 255.255.255.0
object network outside-pool
range 192.168.1.51 192.168.1.100
object network inside_10
nat dynamic outside-pool
object network inside_10
subnet 10.0.0.0 255.255.255.0
object network outside-pool
range 192.168.1.51 192.168.1.100
object network inside_10
nat dynamic outside-pool
Above config is for any 10.x address going through ASA
(regardless of going to dmz, outside)
object network winxp-inside
nat (inside,outside) static winxp-outside
nat (inside,outside) static winxp-outside
object network inside_10
nat (inside,any)
dynamic outside-pool
Above config is for any 10.x address coming in from inside interface going through ASA
(regardless of going to dmz, outside)
----------------------
Static NAT
nat (inside,outside) 1 source static <inside local> <inside global> destination static <outside local> <outside global>
Static NAT adds a rule for each direction (so total 2 NAT rules)
For static NAT, its xlate entry is always there in xlate table. So, can be used for server to be accessed by outside.
For dynamic NAT, tt only adds one rule.
---------------------
----------------------
Static NAT
nat (inside,outside) 1 source static <inside local> <inside global> destination static <outside local> <outside global>
Static NAT adds a rule for each direction (so total 2 NAT rules)
For static NAT, its xlate entry is always there in xlate table. So, can be used for server to be accessed by outside.
For dynamic NAT, tt only adds one rule.
---------------------
NOTES
http://www.tunnelsup.com/nat-for-cisco-asas-version-8-3/
The limitation that Auto NAT has is that it cannot take the destination into consideration when conducting it’s NAT. This also of course results in it not being able to alter the destination address either. To accomplish either of these tasks you must use “manual NAT”.
All of these terms are identical: Manual NAT, Twice NAT, Policy NAT, Reverse NAT. Don’t be confused by fancy mumbo jumbo.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/nat_overview.html#wpxref64594
Main Differences Between Network Object NAT and Twice NAT
The main differences between these two NAT types are:
•
How you define the real address.
How you define the real address.
–Network object NAT—You define NAT as a parameter for a network object; the network object definition itself provides the real address. This method lets you easily add NAT to network objects. The objects can also be used in other parts of your configuration, for example, for access rules or even in twice NAT rules.
Network object NAT—You define NAT as a parameter for a network object; the network object definition itself provides the real address. This method lets you easily add NAT to network objects. The objects can also be used in other parts of your configuration, for example, for access rules or even in twice NAT rules.
–Twice NAT—You identify a network object or network object group for both the real and mapped addresses. In this case, NAT is not a parameter of the network object; the network object or group is a parameter of the NAT configuration. The ability to use a network object group for the real address means that twice NAT is more scalable.
Twice NAT—You identify a network object or network object group for both the real and mapped addresses. In this case, NAT is not a parameter of the network object; the network object or group is a parameter of the NAT configuration. The ability to use a network object group for the real address means that twice NAT is more scalable.
•How source and destination NAT is implemented.
How source and destination NAT is implemented.
–Network object NAT— Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address, and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destination combination.
Network object NAT— Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address, and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destination combination.
–Twice NAT—A single rule translates both the source and destination. A matching packet only matches the one rule, and further rules are not checked. Even if you do not configure the optional destination address for twice NAT, a matching packet still only matches one twice NAT rule. The source and destination are tied together, so you can enforce different translations depending on the source/destination combination. For example, sourceA/destinationA can have a different translation than sourceA/destinationB.
Twice NAT—A single rule translates both the source and destination. A matching packet only matches the one rule, and further rules are not checked. Even if you do not configure the optional destination address for twice NAT, a matching packet still only matches one twice NAT rule. The source and destination are tied together, so you can enforce different translations depending on the source/destination combination. For example, sourceA/destinationA can have a different translation than sourceA/destinationB.
•Order of NAT Rules.
Order of NAT Rules.
–Network object NAT—Automatically ordered in the NAT table.
Network object NAT—Automatically ordered in the NAT table.
–Twice NAT—Manually ordered in the NAT table (before or after network object NAT rules).
Twice NAT—Manually ordered in the NAT table (before or after network object NAT rules).
See the "NAT Rule Order" section for more information.
We recommend using network object NAT unless you need the extra features that twice NAT provides. Network object NAT is easier to configure, and might be more reliable for applications such as Voice over IP (VoIP). (For VoIP, because twice NAT is applicable only between two objects, you might see a failure in the translation of indirect addresses that do not belong to either of the objects.)
No comments:
Post a Comment