à Cisco ASA uses the concept of network objects to configure Network Address Translation.
à A network object can be single host or range of hosts.
à Cisco ASA allows you to configure NAT by using two methods
i) Network Object NAT
ii) Manual or Twice NAT
à Before configuring NAT by using Network Object NAT or Manual NAT, we need to understand the concept of REAL IP ADDRESS used in network object.
à In simple terms, Real IP Address is nothing but private or local IP address of the network host.
à From ASA 8.3 onwards, NAT translation occurs first then policy rules (Access-list) will be checked.
à So we need to configure Real IP address in policy rules (Access-list).
Network Object NAT
à Works onwards from ASA 8.3.
à It is also called as Auto NAT.
à Previously we need to configure NAT commands in global configuration mode.
à But in Network Object NAT, we need to create an object then under this object we are configuring NAT.
à Translates Either Source or Destination IP Address only.
à NAT command should be given in the private object only.
à Translates Either Source or Destination IP Address only.
à NAT command should be given in the private object only.
à Before 8.3 There was only one table used in Cisco ASA ( Xlate Table).
à From 8.3 onwards there are two tables are used in the Cisco ASA for Nat.
i) Nat table – built based upon NAT Configuration in Cisco ASA (show nat detail).
ii) Xlate table—built based upon the traffic entering into Cisco ASA (show xlate).
Ex: To translate 192.168.1.1 to 1.1.1.1
object network Cisco
host 192.168.1.1
nat(inside,outside) static 1.1.1.1
exit
Ex: To translate 192.168.1.1 to 1.1.1.1
object network Cisco
host 192.168.1.1
nat(inside,outside) static 1.1.1.1
exit
MANUAL NAT
à Manual NAT is configured under global configuration mode, not under object network mode.
à In Manual NAT we can translate both source and destination address.
à It is also called as Twice NAT.
à By default, it is applied before Auto Nat configuration in NAT table.
à We can implement Policy NAT by using Manual or Twice NAT.
à Policy NAT allows the Cisco ASA to perform the NAT-based upon some conditions (Policy).
Thanks, almost understood how It works after reading this :)
ReplyDelete