Open In App

Dynamic NAT (on ASA)

Improve
Improve
Like Article
Like
Save
Share
Report

Prerequisite – Adaptive security appliance (ASA), Network address translation (NAT), Static NAT (on ASA) 
Network Address Translation is used for the translation of private IP addresses into public IP addresses while accessing the internet.NAT generally operates on a router or firewall. 

Dynamic NAT – 
In this type of NAT, multiple private IP addresses are mapped to a pool of public IP addresses. It is used when we know the number of fixed users who want to access the Internet at a given point in time. 

Example: If we have 4 public IP address in a pool then at a time, only 4 users private IP address gets translated into public address. 
The private IP who have a request for the translation first will get translated first (like First Come First Serve). If all the IP addresses in the pool are busy and a request for translation is received then the packets will be dropped. 

Procedure (on ASA) – The Procedure is the same as static NAT: 
 

  • Step-1: Configure the access list – 
    Build the access list stating the permit condition i.e who should be permitted and what protocol should be permitted. 
     
  • Step-2: Apply the access-list to an interface – 
    The access-group command will be used to state the direction (out or in) in which the action (specified above) should be taken place. 
     
  • Step-3: Create network object – 
    This will state the host or subnet on which Dynamic NAT will be applied. 

    Note that here 2 objects are created. One will specify the hosts or subnet (private IP address) on which NAT should be applied and the other will the pool of public IP addresses. 
     

  • Step-4: Create Dynamic NAT statement – 
    This step will specify the direction in which NAT should take place and on what IP address (Public IP address) the private IP address should be translated. 
     

For example NAT (DMZ, OUTSIDE), Dynamic Private_hosts Public_pool: This states that the Dynamic NAT operation will take place when the traffic is going from DMZ to OUTSIDE and will translate the IP address (specified in the network object Private_hosts) to the available IP address of Pool (Public_pool). 

Example – 

 

Three routers namely Router1 (IP address – 10.1.1.1/24), Router2 (IP address – 11.1.1.1/24) and Router3 (IP address – 101.1.1.1) are connected to ASA (IP address- 10.1.1.2/24, name – INSIDE and security level – 100 on Gi0/0, IP address – 11.1.1.2/24, name – DMZ and security level – 50 on Gi0/1, IP address – 101.1.1.2/24, name-OUTSIDE and security level – 0 on Gi0/2) as shown in the above figure. 

In this task, we will enable Dynamic NAT for the traffic generating from INSIDE to OUTSIDE and for the traffic going from DMZ to OUTSIDE. 
Configuring IP addresses on all routers and ASA. 
Configure IP address on Router1. 
 

Router1(config)#int fa0/0
Router1(config-if)#ip address 10.1.1.1 255.255.255.0
Router1(config-if)#no shut 

Configuring IP address on Router2. 
 

Router2(config)#int fa0/0
Router2(config-if)#ip address 11.1.1.1 255.255.255.0
Router2(config-if)#no shut 

Configuring IP address on Router3. 
 

Router3(config)#int fa0/0
Router3(config-if)#ip address 101.1.1.1 255.255.255.0
Router3(config-if)#no shut 

Configuring IP address, name, and security level on the interface of ASA. 
 

asa(config)#int Gi0/0
asa(config-if)#no shut
asa(config-if)#ip address 10.1.1.2 255.255.255.0
asa(config-if)#nameif INSIDE 
asa(config-if)#security level 100
asa(config-if)#exit
asa(config)#int Gi0/1
asa(config-if)#no shut
asa(config-if)#ip address 11.1.1.2 255.255.255.0
asa(config-if)#nameif DMZ
asa(config-if)#security level 50
asa(config-if)#exit
asa(config)#int Gi0/2
asa(config-if)#no shut
asa(config-if)#ip address 101.1.1.2 255.255.255.0
asa(config-if)#nameif OUTSIDE
asa(config-if)#security level 0

Now giving static routes to the routers. Configuring static route to Router1. 
 

Router1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2 

Configuring static route to Router2. 
 

Router2(config)#ip route 0.0.0.0 0.0.0.0 11.1.1.2 

Configuring static route to Router3. 
 

Router3(config)#ip route 0.0.0.0 0.0.0.0 101.1.1.2 

Now, at last, configuring a static route to ASA. 
 

asa(config)#route INSIDE 10.1.1.0 255.255.255.0 10.1.1.1
asa(config)#route OUTSIDE 101.1.1.0 255.255.255.0 101.1.1.1
asa(config)#route DMZ 11.1.1.0 255.255.255.0 10.1.1.1

Now, for ICMP, either we have to inspect or we have to use ACL to allow the ICMP echo reply from the lower security level to higher security level (This is to be done because, by default, no traffic is allowed from lower security level to higher security level). 

Configuring access-list: 
 

asa(config)#access-list traffic_out permit icmp any any 
asa(config)#access-list traffic_dmz permit icmp any any 

Here, two access-list has been made: 
 

  1. First, the access-list name is traffic_out which will allow ICMP traffic from OUTSIDE to INSIDE (having an IP address any mask). 
     
  2. The second access list has been made named traffic_dmz which will allow ICMP traffic from OUTSIDE to DMZ (having an IP address any mask). 
     

Now, we have to apply this access list to the ASA interfaces: 
 

asa(config)#access-group traffic_out in interface OUTSIDE 
asa(config)#access-group traffic_dmz in interface DMZ

The first statement states that the access-list traffic_out is applied in the inwards direction to the OUTSIDE interface 
The second statement states that the access-list traffic_dmz is applied in the inwards direction to the DMZ interface. 
Now, INSIDE devices will be able to ping OUTSIDE and DMZ devices. 
Now, the task is to enable Dynamic NAT on ASA whenever the whole subnet (10.1.1.0/24) traffic goes out from INSIDE to OUTSIDE and traffic of network (11.1.1.0/24) from DMZ to OUTSIDE. 
 

asa(config)#object network inside_nat
asa(config-network-object)#subnet 10.1.1.0 255.255.255.0
asa(config-network-object)#exit

First, we have specified that which subnet should get translated. 
 

asa(config)#object network NAT_pool
asa(config-network-object)#range 110.1.1.1 110.1.1.4
asa(config-network-object)#exit

Now, the NAT pool has been made which contains the public IP address (into which private IP addresses get translated). Now, the direction of NAT translation will be specified. 
 

asa(config)#nat (INSIDE, OUTSIDE) source dynamic inside_nat NAT_pool

Now, applying NAT for traffic going out from DMZ to OUTSIDE. 
 

asa(config)#object network dmz_nat
asa(config-network-object)#subnet 11.1.1.0 255.255.255.0
asa(config-network-object)#exit

Now, Creating NAT pool for this traffic. 
 

asa(config)#object network dmz_nat_pool
asa(config-network-object)#range 120.1.1.1 120.1.1.4
asa(config-network-object)#exit

The pool dmz_nat_pool contains 4 public IP addresses ranging from (120.1.1.1 to 120.1.1.4). Now, the direction for NAT translation is specified. 
 

asa(config)#nat (DMZ, OUTSIDE) source dynamic dmz_nat dmz_nat_pool 

The above command specifies that the subnet in dmz_nat should get translated into one of the IP addresses of the pool dmz_nat_pool using dynamic NAT.
 


Last Updated : 25 Oct, 2021
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads