Prerequisite – Adaptive security appliance (ASA), Network address translation (NAT)
ASA is a Cisco security device which has classic firewall capabilities like static packet filtering, stateful packet filtering with VPN, antivirus and intrusion prevention capabilities.
Network Address Translation (NAT) is a process in which a private IP address is translated to a public IP address. This hides the IP address of the original source device from the outside network.
Static NAT –
In this, a single unregistered (Private) IP address is mapped with a legally registered (Public) IP address i.e one-to-one mapping between local and global address.
These are generally used in Web hosting and home networks.
These are not used in organisations as there are many devices who will need Internet access and to provide Internet access, public IP addresses are needed. Suppose, if there are 3000 devices who needs access to Internet, the organisation have to buy 3000 public addresses that will be very costly.
- Step-1: Configure the access-list –
Build the access-list stating the permit condition i.e who should be permit and what protocol should be permit.
- Step-2: Apply the access-list to an interface –
The access-group command will be used to state the direction (out or in) in which the action (specified above) should be taken place.
- Step-3: Create network object –
This will state the host on which NAT will be applied.
- Step-4: Create static NAT statement –
This step will specify the direction in which NAT should takes place and in what IP address the private IP address should be translated, e.g., NAT (DMZ, OUTSIDE) static 220.127.116.11 This states that the static NAT operation will take place when the traffic is going from DMZ to OUTSIDE and will translate the IP address (specified in network object command) to 18.104.22.168
The access-list has been made to allow ICMP the traffic from OUTSIDE to DMZ or INSIDE because by default, the ICMP traffic is not allowed from lower security level to higher security level in ASA (Adaptive Security Appliance).
Three routers namely Router1 (IP address – 10.1.1.1/24), Router2 (IP address – 22.214.171.124/24) and Router3 (IP address – 126.96.36.199) are connected to ASA (IP address- 10.1.1.2/24, name – INSIDE and security level – 100 on Gi0/0, IP address – 188.8.131.52/24, name – DMZ and security level – 50 on Gi0/1, IP address – 184.108.40.206/24, name-OUTSIDE and security level – 0 on Gi0/2) as shown in the above figure.
In this task, we will enable static NAT for the traffic generating from INSIDE to OUTSIDE and for the traffic going from DMZ to OUTSIDE.
Configuring IP addresses on all routers and ASA.
Configure IP address on Router1.
Router1(config)#int fa0/0 Router1(config-if)#ip address 10.1.1.1 255.255.255.0 Router1(config-if)#no shut
Configuring IP address on Router2.
Router2(config)#int fa0/0 Router2(config-if)#ip address 220.127.116.11 255.255.255.0 Router2(config-if)#no shut
Configuring IP address on Router3.
Router3(config)#int fa0/0 Router3(config-if)#ip address 18.104.22.168 255.255.255.0 Router3(config-if)#no shut
Configuring IP address, name and security level on the interface of ASA.
asa(config)#int Gi0/0 asa(config-if)#no shut asa(config-if)#ip address 10.1.1.2 255.255.255.0 asa(config-if)#nameif INSIDE asa(config-if)#security level 100 asa(config-if)#exit asa(config)#int Gi0/1 asa(config-if)#no shut asa(config-if)#ip address 22.214.171.124 255.255.255.0 asa(config-if)#nameif DMZ asa(config-if)#security level 50 asa(config-if)#exit asa(config)#int Gi0/2 asa(config-if)#no shut asa(config-if)#ip address 126.96.36.199 255.255.255.0 asa(config-if)#nameif OUTSIDE asa(config-if)#security level 0
Now giving static routes to the routers.Configuring static route to Router1.
Router1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
Configuring static route to Router2.
Router2(config)#ip route 0.0.0.0 0.0.0.0 188.8.131.52
Configuring static route to Router3.
Router3(config)#ip route 0.0.0.0 0.0.0.0 184.108.40.206
Now, at last configuring static route to ASA.
asa(config)#route INSIDE 10.1.1.0 255.255.255.0 10.1.1.1 asa(config)#route OUTSIDE 220.127.116.11 255.255.255.0 18.104.22.168 asa(config)#route DMZ 22.214.171.124 255.255.255.0 10.1.1.1
Now, for ICMP, either we have to inspect or we have to use ACL to allow the ICMP echo reply from the lower security level to higher security level (This is to be done because by default, no traffic is allowed from lower security level to higher security level).
In this scenario, we will use ACL.
asa(config)#access-list traffic_out permit icmp any any asa(config)#access-list traffic_dmz permit icmp any any
Here, two access-list has been made.
First access-list name is traffic_out which will allow ICMP traffic from OUTSIDE to INSIDE (having any IP address any mask).
Second access-list has been made named as traffic_dmz which will allow ICMP traffic from OUTSIDE to DMZ (having any IP address any mask) .
Now, we have to apply these access-list to the ASA interfaces:
asa(config)#access-group traffic_out in interface OUTSIDE asa(config)#access-group traffic_dmz in interface DMZ
First statement states that the access-list traffic_out is applied in the inwards direction to the OUTSIDE interface. Second statement states that the access-list traffic_dmz is applied in the inwards direction to the DMZ interface.
Now, INSIDE devices will be able to ping OUTSIDE and DMZ devices. Now, the task is to enable NAT on ASA whenever the traffic goes out from INSIDE to OUTSIDE and DMZ to OUTSIDE.
asa(config)#object network INSIDE_OUTSIDE_NAT asa(config-network-object)#host 10.1.1.1 asa(config-network-object)#nat (INSIDE, OUTSIDE) static 126.96.36.199
Here, the host 10.1.1.1 will be translated to 188.8.131.52 when the traffic will go from INSIDE to OUTSIDE.
asa(config)#object network DMZ_OUTSIDE_NAT asa(config-network-object)#host 184.108.40.206 asa(config-network-object)#exit asa(config)#nat (DMZ, OUTSIDE) static 220.127.116.11
Here, the host 18.104.22.168 will be translated to 22.214.171.124 when the traffic will go from DMZ to OUTSIDE.
- Difference between Static and Dynamic Routing
- Difference between Static and Dynamic Web Pages
- Difference between Static and Dynamic IP address
- Difference between Spoofing and Phishing
- Introduction of Botnet in Computer Networks
- Difference between Bandwidth and Throughput
- Difference between EIGRP and OSPF
- OSI, TCP/IP and Hybrid models
- Local Broadcast and Loopback Address
- Internet of Things Based on Compressive Sensing
- Voice Biometric Technique in Network Security
- Hamming code Implementation in Java
- TCP Client-Server Program to Check if a Given String is Palindrome
- Difference between Private and Public IP addresses
If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to email@example.com. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.