In this post I'll build dynamic PAT for the ASAv Firewall through ASDM.
Dynamic PAT allows masking of the internal IP addresses to the outside world. In live scenarios, a firewall would have a public IP on the outside port. With this lab we'll pretend our private IP 192.168.14.130 is that for us. As an overview, here's how the lab is built:
- Cloud1 represents the WAN.
- ASAv has an outside interface of 192.168.14.130 (pretending this is our public IP)
- ASAv has an inside interface of 10.1.0.250
- ASDM is successfully built with reachability using the outside interface 192.168.14.130
- The network behind the ASAv is designed with 10.0.0.0/24
- The router is configured to route traffic with a default gateway to the ASAv
- The virtual PC is configured with the router as the default gateway
- The virtual PC can successfully the ASAv's inside IP 10.1.0.250.
.png)
To get started open the ASDM and navigate to NAT Rules. So that's Configuration to Firewall to NAT Rules. Then click the Add drop down and select Add "Network Object" NAT Rule...
.png)
A screen displays that allows configuration of the Network Object. I leave everything as default, with the exception of the description below:
Name: Sub10
Type: Network
IP Address: 10.0.0.0
Netmask: 255.255.255.0
Under NAT --> Type: Dynamic PAT
Under NAT--> Translated Addr: (Select the 3 dots, which brings up the interfaces. Select outside interface and click ok)
Once that's all filled out, I click OK.
.png)
.png)
.png)
I click Apply and Save to bring it live and save it onto the ASAv.
.png)
I'll open the ASAv command line and verify the rule has been applied.
enable
show nat
.png)
Now I'll test that the rule works.
I expect that the NAT rule configured, will translate source address of 10.0.0.0/24 to outside destination addresses.
I'll set the virtual PC with an external dns server. This allows me to utilize a domain name instead of using the IP address alone, as the DNS server translates the IP to a domain name for me. Then with a trace to Google command, the NAT rule should automatically apply.
ip dns 8.8.8.8
trace www.google.com
CTRL C to stop trace
save
I stopped the trace because the ASAv will drop the packets coming back in. By default ASAv will not allow the ICMP return packet, since the request out used the UDP protocol. I just wanted to make sure that the DNS would translate, and to see NAT in action.
To prove the NAT worked, I go to the ASAv CLI
show xlate
.png)
The xlate shows the translation in the translation table. It shows the 10.0.0.25/24992 being assigned a port and translated as the outside address using the same port 192.168.14.130/24992.
No comments:
Post a Comment