Cisco CCIE Security 350-701- ASA _ Network Address Translation (NAT) Part 2

6. Dynamic PAT – with Exit interface

In here we’ll see the configuration on Nat. Sorry Pat Porter translation but this time we’ll be using exit interface. So if you try to verify what we did in the previous sessions, in the previous video I covered Pat by using a single public IP where I’m translating ten one dot subnet getting translated to one single public IP that is 51 one. So this was a configuration and then we’d test it out with some Cellnet and then show excellent commands. But sometimes most of the service folders or maybe some customers they will be using the exit IP or the public IP on the outside interface. So in that case the conflation will not change much. Like first we need to define what is your private subnet and then we need to translate from inside to outside and then we need to tell the interface. Now interface when you say it automatically maps the IP present on the outside interface.

More applicable when you want to transmit with this IP present on the outside interface. And most of the time sometimes the service border will be giving the IP which will be dynamic and it keeps on changing maybe every time you report your device or maybe the next day if it changes then not a problem. So in those kind of scenarios we can use a path by using exit interface. So the conflation wise this is a previous lab configuration. So either I can remove the entire configuration and then reconfigure the same or I can just remove this one single line. So if you go and verify the configuration here so first thing what I’ll do is I’ll clear the exploit entries first so that I remove the configurations and the next thing is if you verify showrun that I do have a Nat configurations already done based on the previous lab.

So I prefer to go from the basic just to avoid confusions for you. So what I’ll do is I’ll do the entire configuration once again. So for that I need to remove this previous lab configurations. So I’ll say clear configure and then object network. Maybe you want to remove the complete object network or you just clear the net configurations. Clear configuring that again, some iOS versions there will be slight difference in the commands in the iOS versions normally. So in my case I’m not able to remove this iOS. So probably if you say show run that what I’ll do is I’ll just clear the object network it will remove the complete entries automatically. I have to be in the Global confession also I was not in the Global confession also let me see here because it should work here clear configure. So if you say show on that, that confusion has been removed.

If I say show on object network I should see still this object network is present. So I just need to change this confirmation here. So I say object network and of course no need to write against subnet. It’s already there. So I need to send Nat from inside to outside. We need to set dynamic and then use the option of interface and Done try to initiate some traffic. So we’ll say TenneT from low back zero and then we’ll set telenet from low back two. And if you go on the ASA and verify Show excellent. To verify this entry, we can also use this Show users command to test. But that’s not required because you can see these entries. Ten one one and ten one two. They are getting targeted with the same IP which is present on the outside of this. So I’m using 100 but using the different port numbers. So the pad either can be done by Is on a single public IP address like we did in the previous labor.

7. Dynamic NAT-PAT Combination

So next thing we can also use something called Natpad combinations where I can configure my device the ASAP to do dynamic Nat. First like I have some range of public IPS so I can tell translate based on this public IP range and after that I can tell the device to use the exit interface to translate. So this is more like a Natpad combinations where we can tell to use the dynamic net and once these IPS get exhausted or finished we can start using the exit interface also. So there’s no much difference in the configuration. We can say we need to define the public pool because in my case I want to do dynamic Nat based on some range of public IPS and then define the private subnet. This is my private IP addresses which I want to use and then we want to translate from inside to oxide, not inside to oxide. And then I’m going to define the public pool here and then the second option it has to do pat.

So whenever I use interface it automatically do pat or whenever I use dynamic and if I just single define one single IP address without referring to any object network it understands that it has to do pat but whenever it is referring to some object network it will understand that it has to do dynamic net. So there’s no much difference in the verifications. So I’ll just quickly show you this configuration here in my workbook here. So overall we need to configure the same thing and then initiate some traffic from the router one, try to tell it to router two and also try to tell it with loop back one. Or if you can do it like you can create some ten loop backs and then initiate the traffic from all the ten loop backs. And if you verify from the 11th low back probably you should see it starts doing the path. So in my case I have just shown you with two IPS so I’m using some low back one and loop back two and you can see it’s actually translating with two different public IPS in that range and these are the two IPS.

8. Static NAT – ASA

So the next thing we’ll see static Nat configuration on the ASA. So I’m going to take one simple example here, where I got a router Three, which is connecting to some DMZ. Three. That’s the name of the DMZ. And I’m hosting some three servers. Let’s say the server IP addresses are ten dot three, three dot 1332 and three. They are hosting some kind of services like Web, FTP, Internet and I want to translate them with some public IP as they go here probably on the outside network 101, 101, one, two and three. So if any user sitting on the internet and also at the same time I want to make sure that the user sitting on the internet should be able to access my service on the DMC because the default traffic from zero to 50 is not allowed. So if you want to allow we need to write an ACL.

So probably here the configuration wise we also require an ACL to allow the users on the outside network to access the servers on the DMZ. So basically the confirmation here. We need to create an object network. And this time we are going to refer a specific host. One single device and then one single host. And one single host. So we got three translations. So we need to create three object networks. The first one is s one, s two and s three. Just like S server one, server two and server three. So whatever the services they are hosting use those names for easy identifications. And then we had to send Nat and this time we are translating from DMZ to outside so we need to send Nat from DMZ to outside and then the public IP what we decided to use so 101. 101. One, two and 103. So they should go with this respective public IP.

So this is going to be the configuration and additionally, we need to also allow the users on the outside network from zero to 50 should be allowed. So we tried an ACL So access list and we apply on. Inbound interface on the outside of his saying that if any user from internet is trying to access this servers so we need to define the private IP addresses. So based on the iOS versions in the new ASAP Ibiz version starting from two eight two or later I was versions we need to define the private IP address because first it will do the Nat translate. And then it is going to verify the ACL, whether is there any ACL configured. So we are going to apply the ACL on the inbound on the auto interface to make sure that the users from internet anyone can access this service on the respective ports.

So the respective ports which are hosting those services. And for testing, I’m going to add telenet here because we can initiate some traffic from router to and if I try to tell that, I should be able to tell it. And if I say Show users, I should see, of course I don’t see this. Whatever the user public IP, I can see that. So let’s verify here. So what I’ll do is I’ll just quickly start the configuration. So before I start, make sure that you do have reachability and all the configurations. What you did in the previous labs, make sure that you remove. So here, just test the reachability from the router three. I do have I should have reachability here to two two. And the reason let me check if there is any route or not. So if I say show, I think I just added those routes.

So if I say show route static or show route, I should see there will be a route for ten dot static route for ten dot three network. Sorry, I configured it as inside, so it should not be inside. It has to be DMZ interface. That’s a mistake what I did. So if I say show run route, I just say show run route and then I need to say no, remove this one because it’s actually on the DMZ. So I have to say DMZ three. DMZ three, that’s the interface name, what I’m using. So let me just confirm this, the name. So I think I’m using G one by three connecting to router three. G zero by three. The interface I’m connecting. Yes, DMZ three. So if I verify the reach ability so these are basic things, make sure that you do have reach ability so that we can initiate some traffic from Router three to Router Two or router two to Router Three for testing purposes.

So I do have reach ability. We can also tell it and verify.And on the ASA we’ll configure object network. So before I configure, I just want to check if there are any previous object networks configured. So I removed all those things. Just a confirmation. So we’ll say object network and let’s say S one, just as user S One host the public IP, the first one. And then we send Nat DMZ, DMZ three. And then on the outside interface you say static, use the public IP on it and likewise I’m going to do the same thing for the second translation is two and then the host IP address is going to be two and I need to change the public IP. Likewise for the third one, s Three. Of course, for testing we are using any one. I’ll be using the tenet one and then that says show run to confirm my configurations. Object network. You can see these are the three object networks, different IPS.

So if I say Show run, Nat to verify my Nat configurations, configuration seems to be correct. So for testing purpose, if you just want to confirm whether the translation is happening or not, what I can do is I can go to router three. If you verify Show IP interface brief, I do have pre configured loopbacks here. So I’ll try to turn it to two two route with a source interface of loopback zero. By default, zero to zero to 50 is allowed. So I can initiate a tele traffic. And if I say password is nua, and if I say Show users, you can see it’s getting translated. Okay. So you can try with other loop backs also. So it’s getting translated. If you go and say Show exploits, you can see the static entries here goes here. But the thing is, mostly the traffic is initiated from the outside user and the return traffic goes from here.

But we just try to initiate traffic from DMZ to outside just to confirm whether the translation is correctly configured or not. So in my case, the configuration is correct, but at the same time you want to allow the users from any user should be able to access this service as it is going from zero to 50. We need to configure an ACL to permit. So I’m doing this configuration here, let me just confirm if there is no access list configured in based on the previous labs. So I’m going to apply create an access list. So we go to router access list, just server and then we say permit TCP connections, all are TCP based. Then I’m going to say 1031 equal to 80 and then equal to 21 sign to set 21 on the second 1. Second one is FTP and the third one is Talent. You have to note one three talent. So while you are doing this, make sure that you change the IP and the port numbers, both of these.

And then we need to apply this ACL, the name of the ACLU server and apply in the inbound interface off site. So now, once you do this, what I should see is I should be able to initiate a tenant connection from any source to this user, right? But again, I’m not going to use this IP, I should be using this IP, which means if I try to initiate a connection to 101 three, that’s something what I’ll do from the router three. So the talent 101 or three. Okay, so the problem is I’m actually translating not with 101 one three because when I did the configuration, if you try to see your show run not on the router three on the ASP show run net, sorry, no, the problem here is actually I’m trying to do it from the router two. It has to be done from the router sorry, router three I was trying to do. So I was thinking it was on the router one. So it has to be done on the router two actually.

So we need to initiate a traffic from outside. So we do have a default route. So I said telnet 101 one three. That’s what I need to do. You can see it initiates a connection and it initiates a connection based on the default route what I have configured here, it immediately goes to ASA, hits this interface, and this interface says that okay, anything coming with 103? I have a Nat translation mapped with the IP address is ten three. And I have an ACL to lo on port number 23. So the connection is also coming on port number 23. So it allows and if I say show users, it will show you the actual IP, what I’m using. But if I go to ASA, if I say show exploit, so I should see this translation. So the translation is same here, you can see because you see the static entries here, 101, one three getting translated. So again, I cannot initiate any traffic from this because they are using some Http and FTP port numbers. But I just added this.

9. Static PAT- ASA

Now the next thing we’ll see something called static pad. Now this is more like a static Nat. Like we are going to do translation one to one, but not based on the public IPS or the separate IPS. Instead we are going to use some port numbers. The static pad allows you to translate some specific ports like TCP or UDP to a specific global address. And based on some local IP, what we are using the private IP with what is a port number. In general, the more common when you have multiple servers. Like here in my case, let’s say this is my inside or some kind of DMZ here, let’s say, and I have three servers, FTP server using different IPS and I want all these three servers to get translated to a single public IP address. Like in this example you can see 209-16-5201 and three.

But at the same time they will be using they will be using different port numbers just like same IP but different port numbers. So I want this to get translated with like you can see here, this server, this FTP server is getting translated with a different portable. Like here you can see that this is the same public IP, sorry, this is the public IP but using different port numbers here. And these are the private IP addresses that are used. So static pad allows you to use one single address for all the servers. They are actually different servers in the real network, but they all use the same mapped IPRs but the different port numbers. Confirmation wise there’s no much difference as we did in the static Nat. So in the static Nat we need to define an object network and then what is the internal private IPRs I want to use? Like in my case, these are my internal private IP addresses.

So I need to create an object network which refers to all these three devices or the three individual IPRs. And I want all these three addresses should get translated to one single public IPRs. But at the same time it will be using different port numbers. Like maybe I’m using on my FTP server is using port number 21 and Http server port number 2080. Sorry. And then telnet using Pot number 23. So we are using the same IP but mapped to a different public IP. Like here you can see it’s actually one one. So there are some corrections in the diagram here it’s actually the same public IP. Now we need to define a private network and then the configuration up to here is still the same. But additionally we need to add still same as static Nat. If you remember the static Nat configurations up to here, it is exactly same as a static Nat.

But additionally we need to define a service and this specific service comes under which category? TCP or UDP. And then you have to define what is your land port number, the port number used here like 80 and 80 here. So we are going to map your local port number mapped with the public port number used by the users on the outside network. So which means if any user initiate a connection with 100 111 on port number 80 it’s going to redirect to this host on portamore 80. And likewise if any user is trying to initiate a connection on the same IP but on port number 23 it’s going to send it to this server on port number 23. And if anyone initiate a connection on the same IP but on port number 21 it’s going to initiate on this internal host. And of course we need to have an ACL and that ACL is going to allow the respective port numbers to the respective private IP address configured on the inside inbound interface, on the outside interface, inbound direction of the offside interface.

So configuration wise there’s no much difference. So what I’ll do is I’ll quickly do this configuration on the Isa. Before I do this, I just want to confirm that there is no configurations based on the previous lab. I do have configurations. The only thing is I need to remove this Nat configuration. So what I’ll do is I’ll not remove this complete configurations but instead I’ll just remove this one line and then I’ll say Nat. So in my case I need to define something like service. So I’m not going to change the IP. The IP remains the same, the service TCP on port number 80, that’s my local port number. So I need to say 80 and then 80 I just mistyped that was here done. And likewise if you go and check my second configuration so I just change this. And on the second configuration also on the second server I’ll remove this configuration and I’ll send that from the DMZ and the IP remains the same but the service is going to be the second one I’m going to translate to my service port number 21.

Right? So I need to set service TCP so my internal port number and the port number used on the outside network. So both are same. So it has to be just a minute, did I give the correct address? Let me see. Yes. So if you verify short on that now this month second configuration and the third configuration is I’ll remove this. So I’m just trying to go with a configuration based on the previous lab but at the same time if you want you can just remove and reconfigure everything as if you see in the presentation here. But I just want you to also know how to edit the things. So that’s the reason I’m going with this option here. Did I remove the object network here? So show on that object network S three. So in that S three I need to say let me write down so that from the DMZ three to outside I want to translate with this public IP and it’s a TCP service on port number 23 and 23.

Okay, so if you verify Show on that, so I can see here I’m using the same public IP translated to for all the users holding the host here. And if you verify Showrun object network so each represent a different device here and of course I need to write an ACL to permit the traffic. So if you verify Show an access list. I do have an access list based on the previous lab and just I want to confirm whether it is the same or not. So it’s the same thing. So I don’t need to remove the ACL because the ACL is still the same based on the previous lab. So allowing any user trying to access this intel servers on this respective ports, I’m not using different ports, so I’m still using the same ports here and not required to modify or change the ISLs. So if you want we can initiate a traffic initiated traffic just to observe the translations.

You can initiate a traffic from here, router three to router two, like tenet on just ten net from the router three or ping or tenet. And if I say Show excellent, I should see some translation entries. So what I should see is I should be able to initiate a traffic from the outside also, which means from any user I should be able to initiate a traffic to if I tried to initiate traffic to 111 it should automatically send to 133 here on Portable 23 and let’s go to Router Two and tell it from the Router Two television. That’s the public IP what I’m using. Of course it uses bottom at 23 and if I say show users there’s no difference here, then you can see I’m able to initiate a traffic but if I try to initiate a traffic on 33, I cannot because I’m not using three here, because I’m just using 103 here.

So if you go to the Outer, if you go to ASA and if I show X Slate. Now, here the translation. Static entries. You will see normally, you can see I’m mapping the port numbers so the local port and the port number used on the outside. And what is the public IP I’m translating, I’m using the same IP. And what are the private IP addresses? What I’m going to use in my LAN? So basically static pad allows you to translate multiple internal servers can be hosted on the internet with single public IP by using different portables.