Tag Archives: new

What’s New and What’s Coming from CBT Nuggets

News, , , , , ,

CBT Nuggets

We are always creating new content for you here at CBT Nuggets. Here is your October News Flash with the details! In an act of shameless self-promotion, I listed my courses in BOLD. What would you like to see from CBT Nuggets? Let me know in the comments area below this post.

JUST RELEASED

  • Ansible Essentials
  • AWS Certified SysOps Administrator – Associate
  • CompTIA Security+ (SY0-501)
  • Installation, Storage, and Compute with Windows Server 2016 (Exam 70-740)
  • IT Expertise: Building and Configuring a Business Switch Network
  • Microsoft Teams
  • Salesforce Admin – Classic Interface
  • Soft Skills for ScrumMasters
  • VMware vSphere 6.5 (VCP6.5-DCV)
  • Windows 10 End User Essentials

IN DEVELOPMENT

  • End User Security Awareness
  • Designing and Operating Defensible Network Architectures
  • Agile Essentials
  • IT Expertise: Building and Configuring a Business Wireless Network
  • CompTIA Cloud Essentials (CLO-001)
  • Microsoft MCSA SQL Server 2016 70-761
  • Everything Linux
  • Microsoft Azure 70-533 with ARM Updates

“New” NAT on the ASA – Object NAT/PAT with Manual Config

CCIE Security, , , , , ,

There are so many variations that are possible with NAT now – and I am just talking in the “new rules”. In this post, lets just review one. We will do dynamic NAT with a PAT backup using network objects. We will provide the NAT instructions manually instead of inside an object.

Our topology is as follows:

ASA NAT

Our objective here is as follows:

  • Configure NAT so that hosts on the inside network 192.168.65.0/24 attempting to reach the outside network are translated using the pool 74.0.0.102 to 103. We need to use the interface IP address as a PAT backup. The NAT configuration must be manual.

My first step is to create my network objects:

object network 192INSIDE
 subnet 192.168.65.0 255.255.255.0
object network POOL1
 range 74.0.0.102 74.0.0.103

Verification of this step is show run object.

Now I am ready for the manual NAT:

nat (inside,outside) source dynamic 192INSIDE POOL1 interface

The above command is made VERY easy thanks to context-sensitive help.

For verification – we do not even need to leave the ASA thanks to Packet Tracer!

packet-tracer input inside tcp 192.168.65.3 1027 4.4.4.4 23
...
Phase: 4      
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,outside) source dynamic 192INSIDE POOL1 interface
Additional Information:
Dynamic translate 192.168.65.3/1027 to 74.0.0.102/1027
...
Result:       
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
ASA1# 

Of course, we can always create traffic through the ASA and view the translation. Here I telnet through from R3 on the inside to R4 on the outside. We confirm out configuration and that traffic is matching it:

ASA1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic 192INSIDE POOL1 interface  
    translate_hits = 6, untranslate_hits = 6
ASA1#

Of course I will be back with plenty of other “new” NAT sample configurations and verifications for you.