How to configure ASA Firewall Dynamic NAT?
Network address translation
NAT is the method of translation of a private IP address into a public IP address. In order to communicate with the internet, we must have a registered public IP address.
Address translation was originally developed to solve two problems:
To handle a shortage of IPv6 addresses
Hide network addressing schemes.
Types of NAT: -Static NAT
Dynamic NAT
Port Address Translation (PAT)
Static NAT- one-to-one mapping was done manually for every private IP needed on registered IP address (one-to-one)
Dynamic NAT- one-to-one mapping is done automatically for every private IP that needs one registered IP address (one-to-one)
Port address translation (Dynamic NAT Overload)- Allows thousands of users to connect to the internet using only one real global IP address. Maps many to one by using different ports. PAT is the real reason we haven’t run out of valid IP addresses on the internet
Just like the Cisco IOS routers, we can configure NAT / PAT on our Cisco ASA firewall.
I’m assuming that you already know about NAT, if you don’t, please click here
let’s configure dynamic NAT: -
Topology: -
Goal: -
- configure topology as per the diagram
- configure an IP address on the ISP router
- configure VLANs on the ASA firewall
- configure DHCP on the ASA firewall for inside
- configure a static route for VLAN 1 (inside)
- configure on ASA Dynamic NAT for VLAN 1
- make sure PC-A can ping web server 8.8.8.8
ISP-ROUTER(config)#interface gigabitEthernet 0/0
ISP-ROUTER(config-if)#ip address 192.168.1.1 255.255.255.0
ISP-ROUTER(config-if)#no shutdown
ISP-ROUTER(config-if)#exit
ISP-ROUTER(config)#interface gigabitEthernet 0/1
ISP-ROUTER(config-if)#ip address 8.8.8.1 255.0.0.0
ISP-ROUTER(config-if)#no shutdown
ISP-ROUTER(config-if)#exit
ciscoasa(config)#interface vlan 1
ciscoasa(config-if)#ip address 10.1.1.1 255.0.0.0
ciscoasa(config-if)#nameif inside
ciscoasa(config-if)#security-level 100
ciscoasa(config-if)#exit
ciscoasa(config)#interface ethernet 0/2
ciscoasa(config-if)#switchport access vlan 1
ciscoasa(config-if)#exit
ciscoasa(config)#interface vlan 2
ciscoasa(config-if)#ip address 192.168.1.2 255.255.255.0
ciscoasa(config-if)#nameif outside
ciscoasa(config-if)#security-level 0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#exit
ciscoasa(config)#interface vlan 3
ciscoasa(config-if)#no forward interface vlan 1
ciscoasa(config-if)#ip address 20.1.1.1 255.0.0.0
ciscoasa(config-if)#nameif dmz
INFO: Security level for “dmz” set to 0 by default.
ciscoasa(config-if)#security-level 50
ciscoasa(config-if)#exit
ciscoasa(config)#interface ethernet 0/1
ciscoasa(config-if)#switchport access vlan 3
ciscoasa(config-if)#end
ciscoasa#show interface ip brief
Interface IP-Address OK? Method Status Protocol
Vlan1 10.1.1.1 YES manual up up
Vlan2 192.168.1.2 YES manual up up
Vlan3 20.1.1.1 YES manual up upciscoasa#show ip address
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 10.1.1.1 255.0.0.0 manual
Vlan2 outside 192.168.1.2 255.255.255.0 manual
Vlan3 dmz 20.1.1.1 255.0.0.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 10.1.1.1 255.0.0.0 manual
Vlan2 outside 192.168.1.2 255.255.255.0 manual
Vlan3 dmz 20.1.1.1 255.0.0.0 manual
ciscoasa#show switch vlan
VLAN Name Status Ports
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
1 inside up Et0/2, Et0/3, Et0/4, Et0/5
Et0/6, Et0/7
2 outside up Et0/0
3 dmz up Et0/1
ciscoasa(config)#dhcpd address 10.1.1.5–10.1.1.15 inside
ciscoasa(config)#dhcpd dns 8.8.8.8 interface inside
ciscoasa(config)#dhcpd enable inside
(Verify PC-A-B-C is getting IP configuration from DHCP ASA firewall)
PC-A
PC-A
PC-A
ciscoasa(config)#route outside 0.0.0.0 0.0.0.0 192.168.1.1
ciscoasa(config)#object network inside
ciscoasa(config-network-object)#subnet 10.0.0.0 255.0.0.0
ciscoasa(config-network-object)#nat (inside,outside) dynamic interface
ciscoasa(config-network-object)#exit
ciscoasa(config)#access-list ASA extended permit tcp any any
ciscoasa(config)#access-list ASA extended permit icmp any any
ciscoasa(config)#access-group ASA in interface outside
