Prerequisite – Adaptive security appliance (ASA), Network address translation (NAT), Static NAT (on ASA)
Network Address Translation is used for translation of private IP addresses into Public IP address while accessing the internet .NAT generally operates on router or firewall.
Dynamic NAT –
In this type of NAT, multiple private IP address are mapped to a pool of public IP address . It is used when we know the number of fixed users who wants to access the Internet at a given point of time.
Example: If we have 4 public IP address in a pool then at a time, only 4 users private IP address gets translated into public address.
The private IP who have a request for the translation first will get translated first (like First Come First Serve).If all the IP addresses in the pool are busy and a request for translation is recieved then the packets will be dropped.
Procedure (on ASA) – The Procedure is same as static NAT:
- Step-1: Configure the access-list –
Build the access-list stating the permit condition i.e who should be permit and what protocol should be permit.
- Step-2: Apply the access-list to an interface –
The access-group command will be used to state the direction (out or in) in which the action (specified above) should be taken place.
- Step-3: Create network object –
This will state the host or subnet on which Dynamic NAT will be applied.
Note that here 2 objects are created. One will specify the hosts or subnet (private IP address) on which NAT should be applied and other will the pool of public IP address.
- Step-4: Create Dynamic NAT statement –
This step will specify the direction in which NAT should takes place and on what IP address (Public IP address) the private IP address should be translated.
For example NAT (DMZ, OUTSIDE), Dynamic Private_hosts Public_pool: This states that the Dynamic NAT operation will take place when the traffic is going from DMZ to OUTSIDE and will translate the IP address (specified in the network object Private_hosts) to the available IP address of Pool (Public_pool).
Three routers namely Router1 (IP address – 10.1.1.1/24), Router2 (IP address – 22.214.171.124/24) and Router3 (IP address – 126.96.36.199) are connected to ASA (IP address- 10.1.1.2/24, name – INSIDE and security level – 100 on Gi0/0, IP address – 188.8.131.52/24, name – DMZ and security level – 50 on Gi0/1, IP address – 184.108.40.206/24, name-OUTSIDE and security level – 0 on Gi0/2) as shown in the above figure.
In this task, we will enable Dynamic NAT for the traffic generating from INSIDE to OUTSIDE and for the traffic going from DMZ to OUTSIDE.
Configuring IP addresses on all routers and ASA.
Configure IP address on Router1.
Router1(config)#int fa0/0 Router1(config-if)#ip address 10.1.1.1 255.255.255.0 Router1(config-if)#no shut
Configuring IP address on Router2.
Router2(config)#int fa0/0 Router2(config-if)#ip address 220.127.116.11 255.255.255.0 Router2(config-if)#no shut
Configuring IP address on Router3.
Router3(config)#int fa0/0 Router3(config-if)#ip address 18.104.22.168 255.255.255.0 Router3(config-if)#no shut
Configuring IP address, name and security level on the interface of ASA.
asa(config)#int Gi0/0 asa(config-if)#no shut asa(config-if)#ip address 10.1.1.2 255.255.255.0 asa(config-if)#nameif INSIDE asa(config-if)#security level 100 asa(config-if)#exit asa(config)#int Gi0/1 asa(config-if)#no shut asa(config-if)#ip address 22.214.171.124 255.255.255.0 asa(config-if)#nameif DMZ asa(config-if)#security level 50 asa(config-if)#exit asa(config)#int Gi0/2 asa(config-if)#no shut asa(config-if)#ip address 126.96.36.199 255.255.255.0 asa(config-if)#nameif OUTSIDE asa(config-if)#security level 0
Now giving static routes to the routers.Configuring static route to Router1.
Router1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
Configuring static route to Router2.
Router2(config)#ip route 0.0.0.0 0.0.0.0 188.8.131.52
Configuring static route to Router3.
Router3(config)#ip route 0.0.0.0 0.0.0.0 184.108.40.206
Now, at last configuring static route to ASA.
asa(config)#route INSIDE 10.1.1.0 255.255.255.0 10.1.1.1 asa(config)#route OUTSIDE 220.127.116.11 255.255.255.0 18.104.22.168 asa(config)#route DMZ 22.214.171.124 255.255.255.0 10.1.1.1
Now, for ICMP, either we have to inspect or we have to use ACL to allow the ICMP echo reply from the lower security level to higher security level (This is to be done because by default, no traffic is allowed from lower security level to higher security level).
asa(config)#access-list traffic_out permit icmp any any asa(config)#access-list traffic_dmz permit icmp any any
Here, two access-list has been made:
- First access-list name is traffic_out which will allow ICMP traffic from OUTSIDE to INSIDE (having any IP address any mask).
- Second access-list has been made named as traffic_dmz which will allow ICMP traffic from OUTSIDE to DMZ (having any IP address any mask).
Now, we have to apply these access-list to the ASA interfaces:
asa(config)#access-group traffic_out in interface OUTSIDE asa(config)#access-group traffic_dmz in interface DMZ
First statement states that the access-list traffic_out is applied in the inwards direction to the OUTSIDE interface
Second statement states that the access-list traffic_dmz is applied in the inwards direction to the DMZ interface.
Now, INSIDE devices will be able to ping OUTSIDE and DMZ devices.
Now, the task is to enable Dynamic NAT on ASA whenever the whole subnet (10.1.1.0/24) traffic goes out from INSIDE to OUTSIDE and traffic of network (126.96.36.199/24) from DMZ to OUTSIDE.
asa(config)#object network inside_nat asa(config-network-object)#subnet 10.1.1.0 255.255.255.0 asa(config-network-object)#exit
First, we have specified that which subnet should get translated.
asa(config)#object network NAT_pool asa(config-network-object)#range 188.8.131.52 184.108.40.206 asa(config-network-object)#exit
Now, NAT pool has been made which contains public IP address (into which private IP address get translated). Now, direction of NAT translation will be specified.
asa(config)#nat (INSIDE, OUTSIDE) source dynamic inside_nat NAT_pool
Now, applying NAT for traffic going out from DMZ to OUTSIDE.
asa(config)#object network dmz_nat asa(config-network-object)#subnet 220.127.116.11 255.255.255.0 asa(config-network-object)#exit
Now, Creating NAT pool for this traffic.
asa(config)#object network dmz_nat_pool asa(config-network-object)#range 18.104.22.168 22.214.171.124 asa(config-network-object)#exit
The pool dmz_nat_pool contains 4 public IP address ranging from (126.96.36.199 to 188.8.131.52). Now, the direction for NAT translation is specified.
asa(config)#nat (DMZ, OUTSIDE) source dynamic dmz_nat dmz_nat_pool
The above command specifies that the subnet in dmz_nat should get translated into one of the IP address of the pool dmz_nat_pool using dynamic NAT.
Attention reader! Don’t stop learning now. Get hold of all the important DSA concepts with the DSA Self Paced Course at a student-friendly price and become industry ready.
- Dynamic Trunking Protocol (DTP)
- Difference between Static and Dynamic Web Pages
- Difference between Static and Dynamic IP address
- Difference between Static and Dynamic Routing
- Difference between Fixed and Dynamic Channel Allocations
- Dynamic Host Configuration Protocol (DHCP)
- Algorithm for Dynamic Time out timer Calculation
- Dynamic Domain Name System (DDNS) in Application Layer
- Random Walk
- Additive Secret Sharing and Share Proactivization - Using Python
- Introduction of Novell NetWare
- Hidden Station Problem (HSP) in Wireless LAN
- SRTP Fullform
- Basic Frame Structure of SDLC
If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to firstname.lastname@example.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.