When using ASA version 8.3 or later you need to specify the real IP address, not the NAT translated address. This takes care of NAT but we still have to create an access-list or traffic will be dropped:ASA1(config)# access-list OUTSIDE_TO_DMZ extended permit tcp any host 192.168.1.1The access-list above allows any source IP address to connect to IP address 192.168.1.1. This configuration is for ASA version 8.3 and later:ASA1(config)# object network WEB_SERVERASA1(config-network-object)# host 192.168.1.1ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.2.200The configuration above tells the ASA that whenever an outside device connects to IP address 192.168.2.200 that it should be translated to IP address 192.168.1.1. Lets configure our firewall so that this is possibleStatic NAT ConfigurationFirst we will create a network object that defines our webserver in the DMZ and also configure to what IP address it should be translated. Imagine that R1 is a webserver on the DMZ while R2 is some host on the Internet that wants to reach our webserver. Configure an access-list so that the traffic is allowed.To demonstrate static NAT I will use the following topology:Above we have our ASA firewall with two interfaces one for the DMZ and another one for the outside world. When we want to achieve this we have to do two things: Configure static NAT so that the internal server is reachable through an outside public IP address. This is great but its only for outbound traffic or in ASA terminologytraffic from a higher security level going to a lower security level.What if an outside host on the Internet wants to reach a server on our inside or DMZ? This is impossible with only dynamic NAT or PAT.
Cisco ASA Static NAT ConfigurationIn previous lessons I explained how you can use dynamic NAT or PAT so that your hosts or servers on the inside of your network are able to access the outside world.
0 kommentar(er)
