NOTE: Click the DOWNLOAD link to the right to download the free lab configs associated with this lab.
Welcome to the CCDA lab where we’ll be looking at various types of NAT and seeing where each type can be useful in a dynamic POT network.
Alright, so in this lab setup, we have the Cisco ASA and we have three routers. So, this is the guy on the inside, the DMZ, and the outside. So what we’re going to do we are going to figure configure different NAT types. The first of what I’m going to configure is one guy’s on the inside are going to the outside; they should be translated to the interface, that’s the outside interface IP address of the Cisco ASA.
Right, so what we’re going to be configuring first is the dynamic POT. So, we come to “console”, and we have to create a network object first, so network object, let’s call this “inside 1”, and the subnet is ten dot zero dot hundred dot zero, two-five-five two-five-five dot zero. Now we can configure the NAT on that object network. So network, we’ll say… when you’re going from the inside to the outside, then we want to create a NAT statement, in this case it’s going to be dynamic, so we’ll say “dynamic,” and then we can specify the interface, so use the interface address as the mapped IP. So it’s going to use whatever interface is here, right, so “interface.”
Alright, so let’s test that. Before we test, let’s enable Telnet on this guy, so we’ll just go with a great password. It’s easier than doing SSH, so let’s just say, password, “cisco.” Remember, always use SSH, but because we are doing a test, we’ll use Telnet here.
Alright. Now, this guy doesn’t know the IP address of the inside, so if I do a “show IP route”, as you can see, it doesn’t know about the inside, so if I come to the inside guy and say “console”, and if I do a Telnet to one-nine-two dot-zero dot-two dot-two, that’s the IP address of the outside, so let’s see what happens. Okay, so “cisco”, and if I do a “who”, you can see that the IP address that it sees this connection is coming from is the outside interface IP address of the ASA, right, so our dynamic POT is working.
Okay. So let’s exit this. Now, the cool thing about dynamic POTs is no matter your respective of how many hosts of [inaudible 00:02:39] number, theoretically, if they are 64,000 simultaneous collections, what your respective of the real address is going to use the same mapped address.
The second type of NAT that we’re going to create is dynamic NAT, so when the inside is going to the DMZ, we want to translate it to a range of addresses on this network, so, let’s come to the ASA…. and you can create two different NAT configurations for the same network object. So, we’ll have to create another one, let’s call this one “inside 2”, and we’ll say the same subnet, and we also need to create the one for the mapped address. For this address, we’ll use “range”; let’s start with 17, let’s hit a 20, and we’ll go all the way to 16 dot 1 dot, say, 49. So we have, like 30 addresses that we can use there. Now, that’s the thing about dynamic, it’s usually is a smaller group of mapped addresses.
We’re not done with our configuration, actually, so let me go back on the INSIDE2, and now we’ll say “NAT”. This time it’ll be from inside to the DMZ. It’s also going to be dynamic, but this time, we are going to specify mapped network group, so let’s call it “inside mapped”. To test, I’m also going to enable Telnet on this guy, so let’s see… line “VTY 0”, I’m just going to set a password here. So let’s come back to the inside and we’ll Telnet to 172.16.1 dot hundred. So that didn’t go through, let’s try it again, so “cisco.” If I do a “who” now, as you can see it has taken one IP address from that particular range, right, cool.
But the thing about dynamic NAT is once the mapped address has run out, new connections will not be allowed, so keep that in mind.
Alright, so we have looked at dynamic NAT and we have looked at dynamic POT, now let’s look at static NAT. So, what if guys on the outside should be able to reach, let’s say it is a web server here? Now, to simulate that web server, I’m just going to enable the HTTP server. Let’s go into the inside. If the inside should kind of link Telnet to port 80, you see that says “open”, right? Alright, cool. So what we’re going to do, we’ll create a NAT statement that’ll map the IP address of the web server to something on the outside.
So let’s come to the ASA for that. Now, for the ASA, we’re also going to create a network object, let’s call it “DMZ server”, and then, we could see the host if 172.16.1 dot hundred. Okay, and then, the mapped address that we want to use, we don’t have to create a network object for that, we can just specify it inline, so we can specify it here, and that’s what I’m going to do. So, I’m just going to say “NAT”, we are going from the DMZ to the outside, and I want to create a static NAT for this particular object that I have created that’s on 192.0.2 dot hundred, right.
CCNA Quad Instant Pricing – Intense
Now, by default, because the outside interface is on a lower security level interface, it’s on zero and this guy is on 50, so if I were to check it, let’s see on the ASA, so if I were to do a “show run interface”. So you can see the outside is on 0 and DMZ is on 50, so by default, traffic will not be allowed to flow from here to here, so we need to create an access list for it. I’m just going to create an access list, I’ll call it “out in”, I’ll say “permit TCP, any to host”.
Now the address that you specify here is going to be the real address. They’ve changed it since ASA version 3, or we can even use the object that we created. So then we say “object”, and then I’ll say “DMZ server”, and then I’ll apply that access group, or access list inbound the outside interface. Alright.
So right now, when we go to the outside and we Telnet to 192.0.2 dot hundred on port 80, let’s see if that worked. Can you see, it says “open”, and we know that would work because if we come to the ASA and we do “show NAT”- where’s the one we created, that’s it right here- as you can see, “untranslate hits.” Now, keep in mind that this NAT that we have created is bidirectional, so if this guy is also going to the outside, it would use that IP address. So, for example, if we do a Telnet to 192.0.2.2, “cisco,” we’ll say “who”, you notice that it uses that same mapped IP address, so it’s bidirectional; people on the other side can come in and the guy on the inside can also go out.
The other [inaudible 00:08:54] that we have created, so dynamic NATs and dynamic POTs, they are normally unidirectional, but there are instances where you may be able to get, if the session is already open, you may be able to bypass the ASA, if it’s not properly configured.
What if we don’t want to use the whole 192.0.2 dot hundred that we used for the static NAT, what if we don’t want to use it for the internal web server? So, let’s say we have a web server, an FTP server, an email server, and they all should use that same IP address. What we could create is static POT.
So, if I come here, so “show run”, let’s just look at the object… let’s look at NAT, actually. So, instead of using this, I’m going to specify a POT. I can specify the service that I want to use, so “service, TCP”, and I can specify a POT number or use any of this, so I know the port that I want to use is 80. The real is 80, the mapped is 80, or we could use, one of them would be 80 and one would be 80 80. Let’s see. So I can say for the mapped port, let’s use 888, for example. If I come to the outside, instead of saying 80, I’m going to say 888, and then press enter. As you can see, it’s still open, but it’s using only one port. So if I come to the ASA here, “show NAT”, it’s using only [inaudible 00:10:56] port.
The last [inaudible 00:11:00] type that we can configure is identity NAT, but we don’t really need identity Nat here. Identity NAT just maps the same IP address to itself, and you use it maybe when you’re configuring something like a VPN or something like that.
So, we’ve looked at four different types of NAT, we’ve looked at dynamic PAT, dynamic NAT, static NAT, and static POT.