Monday, September 9, 2013

Configuring ASA NAT - Dynamic NAT - Object Network NAT

In this blogtorial we will see how we can take an inside LAN subnet and dynamically NAT using a POOL of addresses. Make sure the pool of addresses being used is reachable from the destination.

Here is the topology and the entire config can be downloaded here.
Objective:

Inside LAN (10.1.1.0/24) subnet should be dynamically translated to one of the IP addresses from the POOL (204.11.72.0/24). 
First thing we need to do is to configure the interfaces (inside/outside) of the ASA. 

 CISCOASA#  
 interface GigabitEthernet0  
  nameif inside-int 
  !!Security Level should be set to something higher than the outside interface. I set it to
  !!0 here because I didn't want to mess around with ACLs. 
  security-level 0  
  ip address 10.1.1.1 255.255.255.0  
 !  
 interface GigabitEthernet1  
  nameif outside-int  
  security-level 0  
  ip address 192.168.2.1 255.255.255.0  
 !

Let's get R1 configured so we have something outside of the ASA to send traffic to.

 R1#   
 !  
 !!Set up the interface
 interface FastEthernet1/0  
  description connected_to_asa  
  ip address 192.168.2.2 255.255.255.0  
  duplex auto  
  speed auto  
 !
 !!Set up a static route so R1 has a route back to the ASA NAT POOL   
 ip route 204.11.72.0 255.255.255.0 192.168.2.1

Alright now let's move on to the actual NAT config on the ASA.

 CISCOASA#  
 !
 !!Create an object referencing the range of outside addresses that the inside IPs 
 !!!are translated to.
 object network my-range-obj  
  range 204.11.72.1 204.11.72.253  
 !
 !!Create an object referencing the range of inside addresses and apply the NAT command.   
 object network my-inside-net  
  subnet 10.1.1.0 255.255.255.0  
 !!NAT inside interface range specified above dynamically to the object "my-range-obj" 
 !!!(204.11.72.1-204.11.72.253)
  nat (inside,outside) dynamic my-range-obj  
 !

Now ASA will dynamically convert anything coming from 10.1.1.0/24 to one of the POOL addresses (204.11.72.1-204.11.72.253).

Let's verify by pinging from a host inside (in this case it is 10.1.1.254) to the IP on R1.



As you can see pinging from 10.1.1.254 is translated to an IP address in the 204.11.72.1-.253 range.

Many more articles to come so stay tuned.

Please reshare/subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.
Posted by
Labels: ,

2 comments:

  1. AnonymousSeptember 14, 2013 at 7:26 AM

    Useful tips. thx for your knowledge sharing.

    ReplyDelete
  2. AnonymousApril 10, 2014 at 1:28 PM

    I tried , but found couple of issues as follows ,
    1. Can ping from local pc to ASA not backward
    2. cannot ping from local pc to router ip - 192.168.2.2
    3.Tthis command is not recognized " nat (inside,outside) dynamic my-range-obj "

    ReplyDelete

Subscribe to: Post Comments (Atom)