2.Cisco ASA Dynamic NAT with DMZ


In a previous lesson I explained how to configure dynamic NAT from the inside to the outside. In this lesson we add a DMZ and some more NAT translations. Here’s the topology that we will use:

ASA1 Inside Outside DMZ

In this example we have our INSIDE, OUTSIDE and DMZ interfaces. The security levels of these interfaces are:

  • INSIDE: 100
  • OUTSIDE: 0
  • DMZ: 50

We can go from a “high” security level to a “low” security level so this means that hosts from the INSIDE can reach the DMZ and OUTSIDE. Hosts from the DMZ will also be able to reach the OUTSIDE. We will configure NAT for the following traffic patterns:

  • Traffic from hosts on the INSIDE to the OUTSIDE, we’ll use a “public” pool for this.
  • Traffic from hosts on the INSIDE to the DMZ, we’ll use a “DMZ” pool for this.
  • Traffic from hosts on the DMZ to the OUTSIDE, we’ll use the same public pool for this.

Here’s what a visualization of these NAT rules look like:

ASA1 inside outside dmz nat translationsLet’s start by configuring the interfaces:

ASA1(config)# interface e0/0
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config)# interface e0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config)# int e0/2
ASA1(config-if)# nameif DMZ
ASA1(config-if)# security-level 50
ASA1(config-if)# ip address 192.168.3.254 255.255.255.0
ASA1(config-if)# no shutdown

The INSIDE and OUTSIDE security levels have a default value, the DMZ I configured to 50 myself. Now let’s look at the dynamic NAT configuration…

Dynamic NAT with three Interfaces

First we will create the pools:

ASA1(config)# object network PUBLIC_POOL
ASA1(config-network-object)# range 192.168.2.100 192.168.2.200
ASA1(config)# object network DMZ_POOL
ASA1(config-network-object)# range 192.168.3.100 192.168.3.200

I will use a range of IP addresses from the subnet that is configured on the OUTSIDE and DMZ interface. Now we can create some network objects for the NAT translations:

ASA1(config)# object network INSIDE_TO_DMZ
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,DMZ) dynamic DMZ_POOL

The first network object is called INSIDE_TO_DMZ and specifies the subnet of the INSIDE hosts. The NAT entry translates the 192.168.1.0 /24 subnet to IP addresses in the pool called DMZ_POOL. The other network objects are similar:

ASA1(config)# object network INSIDE_TO_OUTSIDE
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic PUBLIC_POOL

This one is for traffic from the INSIDE to the OUTSIDE, it uses the PUBLIC_POOL. The last one is for traffic from our DMZ to the OUTSIDE:

ASA1(config)# object network DMZ_TO_OUTSIDE
ASA1(config-network-object)# subnet 192.168.3.0 255.255.255.0
ASA1(config-network-object)# nat (DMZ,OUTSIDE) dynamic PUBLIC_POOL

That’s all that we have to configure, let’s verify our work…

Verification

We’ll generate some traffic between the routers and see if their IP packets are translated correctly. Let’s send something from R1 to R2 (INSIDE to OUTSIDE):

R1#telnet 192.168.2.2
Trying 192.168.2.2 ... Open

We have a connection so let’s see if we have a translation:

ASA1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from INSIDE:192.168.1.1 to OUTSIDE:192.168.2.166 flags i idle 0:00:33 timeout 3:00:00

Great, IP address 192.168.1.1 was translated to 192.168.2.166. Let’s also generate some traffic from R1 to R3 (INSIDE to DMZ):

R1#telnet 192.168.3.3
Trying 192.168.3.3 ... Open

It’s working, let’s check the translation:

ASA1# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from INSIDE:192.168.1.1 to DMZ:192.168.3.146 flags i idle 0:00:14 timeout 3:00:00
NAT from INSIDE:192.168.1.1 to OUTSIDE:192.168.2.166 flags i idle 0:00:23 timeout 3:00:00

So far so good, it was translated from 192.168.1.1 to 192.168.3.146. Last but not least, let’s try some packets from R3 to R2 (DMZ to OUTSIDE):

R3#telnet 192.168.2.2
Trying 192.168.2.2 ... Open

And our translation looks like:

ASA1# show xlate
3 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from DMZ:192.168.3.3 to OUTSIDE:192.168.2.192 flags i idle 0:00:10 timeout 3:00:00
NAT from INSIDE:192.168.1.1 to DMZ:192.168.3.146 flags i idle 0:02:57 timeout 3:00:00
NAT from INSIDE:192.168.1.1 to OUTSIDE:192.168.2.166 flags i idle 0:03:06 timeout 3:00:00

Excellent this was also translated. That’s all there is to it…dynamic NAT with multiple interfaces. I hope this example has been useful, if you have any questions feel free to leave a comment!


Comments

Post a Comment

Popular posts from this blog

Cisco ASA Packet Drop Troubleshooting

Image
As a firewall, the Cisco ASA drops packets. That’s great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops. In this lesson, we’ll cover the following tools: Connection State Interface Drops Syslog ASP Drops Packet Capture Packet Tracer Service Policy Conclusion Here is the topology I use: We use a simple topology: Two “host” devices: These are routers with ip routing disabled, and they use ASA1 as their default gateway. An HTTP server is enabled on both devices. ASA1 runs ASAv Version 9.9(2) and has two interfaces: INSIDE: security level 100 OUTSIDE: security level 0 In this topology, H1 will be able to initiate a connection to H2. H2 won’t be able to initiate a connection to H1 because we go from a  low-security level (0) to a high-security level (100) . Configurations ASA1 H1 H2 hostname ASA1 ! interface GigabitEthernet0/0 nameif INSIDE security-level 100...
Read more

show asp drop Command Usage

The  show asp drop  command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the general operations configuration guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The following sections include each drop reason name and description, including recommendations: rame Drop Reasons   ---------------------------------------------------------------- Name: natt-keepalive NAT-T keepalive message: This counter will increment when the appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance.   Recommendation: If you have configured IPSec NAT-T on your ...
Read more

1.Cisco ASA Clock Configuration

The Cisco ASA firewall has a battery on the motherboard that saves the clock settings. Even when it’s is powered off, the clock will be stored. There are two important reasons why you want to make sure that your ASA has the correct date/time: In case of a security breach you want to track log files for events. With an incorrect timestamp, your log files are useless. PKI (Public Key Infrastructure) that we use for digital certificates to authenticate remote users (IPSEC or SSL VPN) requires the correct date/time. The most simple method is to configure the date/time manually, you can do it like this: ASA1(config)# clock set 13:15:00 Dec 19 2014 Just use the  clock set  command and enter the correct time/date. You can verify it like this: ASA1# show clock 13:15:15.709 UTC Fri Dec 19 2014 As you can see, the default timezone is UTC. If you are in another timezone like me then you have to change this: ASA1(config)# clock timezone CET +1 Use the  clock timezone  command t...
Read more