Difference between revisions of "NAT Cisco ASA"

From Teknologisk videncenter
Jump to: navigation, search
m (Created page with "=links= *[http://www.petenetlive.com/KB/Article/0000691 One-to-one NAT]")
 
m (Example)
 
(12 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
=Outside in - one-to-one nat=
 +
Internal IP: 192.168.138.152
 +
External IP: 217.198.220.152
 +
 +
<b>Version 8 ASA</b>
 +
<source lang=cli>
 +
access-list H5MAJ2017 permit ip any host 192.168.138.152
 +
access-group H5MAJ2017 in interface OUTSIDE
 +
!
 +
object network OBJ192.168.138.152
 +
host 192.168.138.152
 +
nat (INSIDE,OUTSIDE) static 217.198.220.152
 +
!
 +
</source>
 +
 +
<b>Version 9 ASA</b>
 +
 +
Ved det ser ud af rigtig meget når man skriver alt det her, men det giver mening i forhold til at holde styr på reglerne i firewallen via det grafiske interface, og det giver nemmere log gennemgang efterfølgende ved evt. fejl.
 +
 +
<i><b>BEMÆRK: </b>Det er bedst at bruge deres ASDM manager til at lave disse regler med.</i>
 +
 +
<b>Objekt</b>
 +
<source lang=cli>
 +
      object network 217.198.220.139--SMTP.HOTDATA.DK
 +
        host 212.198.213.139
 +
    object network WEB01.HOTDATA.DK
 +
        host 192.168.130.3
 +
</source>
 +
 +
==NAT REGEL==
 +
===Original source===
 +
<source lang=cli>
 +
      nat (OUTSIDE,INSIDE) 2 source static any any destination static 217.198.220.139--SMTP.HOTDATA.DK 192.168.130.15--SMTP.HOTDATA.DK no-proxy-arp description SMTP.HOTDATA.DK
 +
</source>
 +
===Change source address===
 +
<source lang=cli>
 +
      nat (OUTSIDE,INSIDE) 2 source static any interface destination static 217.198.220.139--SMTP.HOTDATA.DK 192.168.130.15--SMTP.HOTDATA.DK no-proxy-arp description SMTP.HOTDATA.DK
 +
</source>
 +
 +
<b>ACCESS LIST</b>
 +
<i>bemærk om der er oprettet en objekt gruppe der dækker det samme behov som du har før du opretter en ny</i>
 +
<source lang=cli>
 +
      object-group service <>DM_INLINE_TCP_5 tcp
 +
        port-object eq http
 +
        port-object eq https
 +
      access-list global_access line 4 extended permit tcp any object 192.168.130.30--WEB01.HOTDATA.DK object-group DM_INLINE_TCP_5
 +
</source>
 +
 +
==Example==
 +
<source lang=cli>
 +
object network SVPjan18outside
 +
host 217.198.220.151
 +
object network SVPjan18inside
 +
host 192.168.151.111
 +
 +
nat (OUTSIDE,INSIDE) 2 source static any any destination static SVPjan18outside SVPjan18inside no-proxy-arp description SVP2018
 +
nat (OUTSIDE,INSIDE) 2 source static any interface destination static SVPjan18outside SVPjan18inside no-proxy-arp description SVP2018
 +
</source>
 +
 
=links=
 
=links=
 
*[http://www.petenetlive.com/KB/Article/0000691 One-to-one NAT]
 
*[http://www.petenetlive.com/KB/Article/0000691 One-to-one NAT]
 +
 +
[[Category:ASA Cisco]]

Latest revision as of 08:16, 8 February 2018

Outside in - one-to-one nat

Internal IP: 192.168.138.152 External IP: 217.198.220.152

Version 8 ASA

access-list H5MAJ2017 permit ip any host 192.168.138.152
access-group H5MAJ2017 in interface OUTSIDE
!
object network OBJ192.168.138.152
 host 192.168.138.152
 nat (INSIDE,OUTSIDE) static 217.198.220.152
!

Version 9 ASA

Ved det ser ud af rigtig meget når man skriver alt det her, men det giver mening i forhold til at holde styr på reglerne i firewallen via det grafiske interface, og det giver nemmere log gennemgang efterfølgende ved evt. fejl.

BEMÆRK: Det er bedst at bruge deres ASDM manager til at lave disse regler med.

Objekt

      object network 217.198.220.139--SMTP.HOTDATA.DK
        host 212.198.213.139
     object network WEB01.HOTDATA.DK
        host 192.168.130.3

NAT REGEL

Original source

      nat (OUTSIDE,INSIDE) 2 source static any any destination static 217.198.220.139--SMTP.HOTDATA.DK 192.168.130.15--SMTP.HOTDATA.DK no-proxy-arp description SMTP.HOTDATA.DK

Change source address

      nat (OUTSIDE,INSIDE) 2 source static any interface destination static 217.198.220.139--SMTP.HOTDATA.DK 192.168.130.15--SMTP.HOTDATA.DK no-proxy-arp description SMTP.HOTDATA.DK

ACCESS LIST bemærk om der er oprettet en objekt gruppe der dækker det samme behov som du har før du opretter en ny

      object-group service <>DM_INLINE_TCP_5 tcp
        port-object eq http
        port-object eq https
      access-list global_access line 4 extended permit tcp any object 192.168.130.30--WEB01.HOTDATA.DK object-group DM_INLINE_TCP_5

Example

object network SVPjan18outside
 host 217.198.220.151
object network SVPjan18inside
 host 192.168.151.111

nat (OUTSIDE,INSIDE) 2 source static any any destination static SVPjan18outside SVPjan18inside no-proxy-arp description SVP2018
nat (OUTSIDE,INSIDE) 2 source static any interface destination static SVPjan18outside SVPjan18inside no-proxy-arp description SVP2018

links