Professional Documents
Culture Documents
19 +Policy+NAT
19 +Policy+NAT
19 +Policy+NAT
Policy NAT
KHAWAR BUTT
CCIE # 12353 [R/S, SECURITY, SP, DC, VOICE, STORAGE & CCDE]
Overview
Policy NAT Overview
Policy NAT Process
Configuration Commands c
Lab Configuration
Network Diagram
199.1.1.0/24
R2 Internet
S1
192.1.25.0/24 (.1)
200.1.1.0/24
192.1.20.0/24 Outside
c
S2
(.1)
ASA FW
R4 R3
192.168.4.0/24 DMZ-4 192.168.3.0/24 DMZ-3
S1 S2 S3
(.11) (.12) (.13)
10.11.11.0/24 Inside
10.1.1.0/24
10.20.20.0/24
10.10.10.0/24 R1
Policy NAT Overview
This type of NAT allows you to translate devices based on a flow rather than just the Source or
Destination IP Address.
Normal Dynamic NAT will classify the NAT statement by comparing the Source Address of a
Packet going from Inside to Outside. It doesc not care about the destination that the packet is
going to.
If you want NAT to translate by looking at the Source and Destination IP address combination
to execute the NAT statement, it is called Policy NAT.
It is NOT done under the Object. This type of NAT is configured globally.
Policy NAT Process
Just like the other NAT configurations, you need to specify which interface
is the internal interface and which interface is the external interface.
When a packet is received on thec Internal Interface, unlike normal NAT
where it only checks the Source IP, Policy NAT checks the Source and
Destination IP against the NAT configuration.
The NAT configuration will need to specify the Source and Destination IP
that define the flow and the corresponding translated addresses.
Policy NAT allows you to translate both the Source and Destination
addresses using the same statement. It is also referred to as Twice-NAT or
Manual NAT.
Configuration Commands
Policy NAT configuration on the ASA Firewall requires you to create objects for all IP’s that are
going to be used in the NAT Statement.
Syntax:
Object network [NAME] c
Host [X.X.X.X]
Once the Objects are created for each address, you will use them in the NAT Statement. The
NAT statement is configured in the Global Configuration Mode.
Syntax:
NAT (HIGH INT,LOW INT) source static [Your IP] [Your Xlated IP] destination static [Remote IP] [Remote Xlated IP]
Network Diagram
199.1.1.0/24
R2 Internet
S1
192.1.25.0/24 (.1)
200.1.1.0/24
192.1.20.0/24 Outside
c
S2
(.1)
ASA FW
R4 R3
192.168.4.0/24 DMZ-4 192.168.3.0/24 DMZ-3
S1 S2 S3
(.11) (.12) (.13)
10.11.11.0/24 Inside
10.1.1.0/24
10.20.20.0/24
10.10.10.0/24 R1
Lab Configuration
This lab builds on the Previous Lab (Static PAT)
Object network R1
host 10.11.11.1
!
Object network X1
host 192.1.20.31
c
!
Object network X2
host 192.1.20.32
!
Object network D1
host 199.1.1.1
!
Object network D2
host 200.1.1.1
!
Nat (Inside,outside) source static R1 X1 destination static D1 D1
Nat (Inside,outside) source static R1 X2 destination static D2 D2
Lab Configuration
Verify the configuration by Telnetting into 199.1.1.1 from R1 (10.11.11.1).
Verify the Translation Table by using the “Show Users” command once you have connected
to R2. The 192.1.20.31 should be IP used to connect.
Verify the configuration by Telnetting into 200.1.1.1
c from R1 (10.11.11.1).
Verify the Translation Table by using the “Show Users” command once you have connected
to R2. The 192.1.20.32 should be IP used to connect.
Whiteboard