Tag Archives: firewall

AJSnetworking.com Book Giveaway – FIREWALL Book!

CCNP Security, News, ,

firewall

I will be giving away my tech book collection here at the blog throughout the month as a thank you to my readers!

The fourth giveaway is ready – OK, OK, this exam (642-617) has been retired, but the book is still chock full of Cisco ASA goodness. Since I am one of the authors, it even comes personalized from me. That is worth at least an extra 0.10 cents.

The first reader THAT TRULY NEEDS this book for their studies to respond using the Contact Anthony link at the top of the blog will receive it. You must meet these conditions:

  • Mailing address in the continental US
  • Provide valid full name and mailing address in the email
  • Be a good person 🙂
  • Have not received a free gift from this site prior to this giveaway

I am so glad I can help you with your studies!

“New” NAT on the ASA – Object NAT/PAT with Manual Config

CCIE Security, , , , , ,

There are so many variations that are possible with NAT now – and I am just talking in the “new rules”. In this post, lets just review one. We will do dynamic NAT with a PAT backup using network objects. We will provide the NAT instructions manually instead of inside an object.

Our topology is as follows:

ASA NAT

Our objective here is as follows:

  • Configure NAT so that hosts on the inside network 192.168.65.0/24 attempting to reach the outside network are translated using the pool 74.0.0.102 to 103. We need to use the interface IP address as a PAT backup. The NAT configuration must be manual.

My first step is to create my network objects:

object network 192INSIDE
 subnet 192.168.65.0 255.255.255.0
object network POOL1
 range 74.0.0.102 74.0.0.103

Verification of this step is show run object.

Now I am ready for the manual NAT:

nat (inside,outside) source dynamic 192INSIDE POOL1 interface

The above command is made VERY easy thanks to context-sensitive help.

For verification – we do not even need to leave the ASA thanks to Packet Tracer!

packet-tracer input inside tcp 192.168.65.3 1027 4.4.4.4 23
...
Phase: 4      
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,outside) source dynamic 192INSIDE POOL1 interface
Additional Information:
Dynamic translate 192.168.65.3/1027 to 74.0.0.102/1027
...
Result:       
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
ASA1# 

Of course, we can always create traffic through the ASA and view the translation. Here I telnet through from R3 on the inside to R4 on the outside. We confirm out configuration and that traffic is matching it:

ASA1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic 192INSIDE POOL1 interface  
    translate_hits = 6, untranslate_hits = 6
ASA1#

Of course I will be back with plenty of other “new” NAT sample configurations and verifications for you.