NAT/PAT_ASA_CISCO

 knowing is not enough ,we must apply

 wishing is not enough ,we must do



For example, the web server at the IP address .15 is really configured with the IP address 172.16.30.15,

 which means the actual NIC really has the IP   address 172.16.30.15 configured. Hence, 172.16.30.15

 is considered the real IP address. 






Static NAT




                                                            

 Static NAT with Auto NAT


object network WEB33 host 10.2.2.33 
nat (inside,outside) static 73.8.2.33 

asa98# show nat Auto NAT Policies (Section 2) 1 (inside) to (outside) source static WEB33 73.8.2.33 

 Static NAT with Manual NAT


object network WEB33 host 10.2.2.33 
object network WEB33-Public host 73.8.2.33
nat (inside,outside) source static WEB33 WEB33-Public 

 Static PAT

A Static PAT is a translation in which the IP Addresses and Port numbers are being modified, and the mapping between pre-translation and post-translation attributes is explicitly defined.

 Static PAT with Auto NAT


object network WEB41-www 
host 10.4.4.41 
nat (inside,outside) static 73.8.2.44 service tcp 8080 80 
object network WEB42-https 
host 10.4.4.42 
nat (inside,outside) static 73.8.2.44 service tcp 443 443 

asa98# show nat 
Auto NAT Policies (Section 2)
 1 (inside) to (outside) source static WEB41-www 73.8.2.44 service tcp 8080 www 
2 (inside) to (outside) source static WEB42-https 73.8.2.44 service tcp htts https

 Static PAT with Manual NAT


object network WEB41 host 10.4.4.41 
object network WEB42 host 10.4.4.42 
object network PUBLIC-WEB host 73.8.2.44 
object service TCP8080 service tcp source eq 8080 
object service TCP80 service tcp source eq 80 
object service TCP443 service tcp source eq 443 
nat (inside,outside) source static WEB41 PUBLIC-WEB service TCP8080 TCP80
nat (inside,outside) source static WEB42 PUBLIC-WEB service TCP443 TCP443 


asa98# show nat 
Manual NAT Policies (Section 1)
 1 (inside) to (outside) source static WEB41 PUBLIC-WEB service TCP8080 TCP80 
2 (inside) to (outside) source static WEB42 PUBLIC-WEB service TCP443  TCP443 


 Dynamic PAT


A Dynamic PAT is a translation in which the IP addresses and Port numbers are being modified, and the mapping between pre-translation and post-translation attributes is dynamically determined by the Firewall.



 Dynamic PAT with Auto NAT

object network INSIDE66 subnet 10.6.6.0 255.255.255.0
 nat (inside,outside) dynamic 32.8.2.66 

asa98# show nat 
Auto NAT Policies (Section 2)
 1 (inside) to (outside) source dynamic INSIDE66 32.8.2.66 

 Dynamic PAT with Manual NAT

object network INSIDE66 
subnet 10.6.6.0 255.255.255.0 
object network DPAT-IP
host 32.8.2.66 
nat (inside,outside) source dynamic INSIDE66 DPAT-IP 



Dynamic NAT

A Dynamic NAT is a translation in which only the IP addresses are being modified, and the mapping between pre-translation and post-translation IP addresses is dynamically determined by the Firewall.


  Dynamic NAT with Auto NAT

object network DNAT-RANGE 
range 54.5.4.1 54.5.4.3 
object network INSIDE77 
subnet 10.7.7.0 255.255.255.0 
nat (inside,outside) dynamic DNAT-RANGE 

asa98# show nat 
Auto NAT Policies (Section 2) 
1 (inside) to (outside) source dynamic INSIDE77 DNAT-RANGE 

Dynamic NAT with Manual NAT

object network DNAT-RANGE
 range 54.5.4.1 54.5.4.3 
object network INSIDE77 
subnet 10.7.7.0 255.255.255.0 
nat (inside,outside) source dynamic INSIDE77 DNAT-RANGE 

asa98# show nat 
Manual NAT Policies (Section 1) 
1 (inside) to (outside) source dynamic INSIDE77 DNAT-RANGE 



Policy NAT

A Policy NAT is any of the four types of address translation we have already discussed (Static NAT, Static PAT, Dynamic PAT, Dynamic NAT), except the translation decision is based upon both the Source and the Destination



object network INSIDE66 
subnet 10.6.6.0 255.255.255.0 
object network HOST45 host 45.5.4.9
 object network PDPAT-HOST45 host 32.8.2.77 
nat (inside,outside) source dynamic INSIDE66 PDPAT-HOST45 destination static HOST45 HOST45 

 

 Twice NAT


You are in charge of a Router with hosts on a private network (10.6.6.0/24) that have chosen to use Google’s Public 
DNS Resolving Server (8.8.8.8). However, company policy states DNS requests must be made using the Corporate 
DNS server (32.9.1.8). One option is … to translate any outbound requests to 8.8.8.8 into a request for 32.9.1.8. 





object network INSIDE66 
subnet 10.6.6.0 255.255.255.0 
object network DPAT-IP-DNS host 32.8.2.55 
object network GOOGLE-DNS host 8.8.8.8 
object network CORP-DNS host 32.9.1.8 
object service UDP53 service udp destination eq 53
 nat (inside,outside) source dynamic INSIDE66 DPAT-IP-DNS 
destination static GOOGLE-DNS CORP-DNS service UDP53 UDP53 





1 comment:

Subscribe to: Posts (Atom)

TCP_IP_ATTACKS