Configuration of all kinds of NAT in Phase 18 ASA 01/19 Update SLTechnology News&Howtos

Configuration of all kinds of NAT in Phase 18 ASA

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Objective: 1. Configure dynamic NAT

two。 Configure static NAT

The steps of the experiment:

1. Configure dynamic NAT: [basic configuration has been configured, see ASA configuration experiment report]

Asa (config) # object network ob-in

Asa (config-network-object) # subnet 10.2.2.0 255.255.255.0

Asa (config-network-object) # nat (inside,outside) dynamic200.8.8.3\ 200.8.8.3 cannot be a real device IP

Dynamic NAT port: [configure as above, only need to change one]

Asa (config-network-object) # nat (inside,outside) dynamicinterface\ based on port, NAT is automatically converted to port IP

two。 Configure static NAT:asa (config) # object network ob-out\ configure ob-out

Asa (config-network-object) # host 200.8.8.4

Asa (config) # object network dmz01\ configure the server corresponding to 192.168.3.100 for DMZ01

Asa (config-network-object) # host 192.168.3.100

Asa (config-network-object) # nat (dmz,outside) static ob-out service tcp 80 80

\ configure NAT [TCP80 for HTTP service]

Asa (config) # object network dmz02\ configure the server corresponding to 192.168.3.101 for DMZ02

Asa (config-network-object) # host 192.168.3.101

Asa (config-network-object) # nat (dmz,outside) static ob-out service tcp 21 21

\ configure NAT [TCP21 for FTP service]

Configure ACL:asa (config) # access-list out_to_dmz permit tcp any object dmz01 eq http

\ create ACL and allow access to HTTP

Asa (config) # access-list out_to_dmz permit tcp any object dmz02 eq ftp

\ create ACL and allow access to FTP

Asa (config) # access-group out_to_dmz in interface outside

\ reference ACL

Configuration complete

The result verifies:

View dynamic NAT [client1 can access 200.8.8.2 server]:

View static NAT [client2 can access server3/4]

[because NAT address translation is done, the access address must be the address pool IP:200.8.8.4 corresponding to the server of 192.168.3.100-- > HTTP service]

[because NAT address translation is done, the access address must be the address pool IP:200.8.8.4 corresponding to the server of 192.168.3.101-- > FTP service]

Experimental topology diagram:

Thank you

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.