Thursday, June 17, 2021

Cisco ASA NAT Internet Access

In this tutorial, we are going to learn the step-by-step process for the inside interface to the outside interface NAT configuration in the Cisco ASA firewall. 

We know that we need to use one public IP address to connect to the internet. Because private IP addresses are not routable to the internet. In the Cisco ASA firewall, when we share one public IP address among the LAN users, then it is called "Dynamic PAT (Hide)". When we share a range of IP addresses then it is called "Dynamic NAT". If we want to allow access from the outside network to the inside network then we will use the “Static” NAT Method.

In this tutorial, we are going to configure the inside to outside NAT functions. This is also called source NAT. Generally, the source NAT is used to connect to the internet. For the source NAT configuration, we are going to share one public IP address among the LAN users. That's why we will use the "Dynamic PAT (Hide)" configuration. We will perform NAT function from inside interface to outside interface. All the LAN user's traffic that is intended to reach the internet or the outside network, their source address will be replaced by the outside interface IP address.

Now we will go through the step-by-step configuration process to perform the source NAT or the inside to outside NAT configuration in the Cisco ASA firewall.

We assume that we have a local network 192.168.1.0/24. Also, we have one public IP address 1.1.1.1. Now we are going to configure the NAT function so that our private IP address is translated to the public IP address. After that, we have to create one access list entry so that the firewall can allow the internet traffic from the inside interface to the outside interface.

At first, we will create a “network object NAT rule” for our LAN network. Then we will enable the NAT function on that network object.

To create a network object NAT rule, click on the “Firewall” option and then click on the “NAT” rules from the “Firewall” configuration page. Then click on the “Add” drop-down button and select the “Add Network Object NAT” rule.


Now we will give a descriptive name for this object. We will name it "NAT_Rule_Internet". Then select the object type from the drop-down list. Here, we will select "network" as the object type. Make sure that the "IPv4" radio button is selected as the "IP Version". Write your network address in the "IP Address" field. Here, we will write "192.168.1.0" as the network address. Because we are going to NAT this local address to our public address which is 1.1.1.1. Then write your subnet mask in the "Netmask" field. You can select a mask from the drop-down list also.


Now we will configure the source NAT. Please make sure that the "Add Automatic Address Translation Rules" check box is ticked in the "NAT" section. In the "Type" field, select "Dynamic PAT (Hide)" from the drop-down list. Now write your public IP address in the "Translated Addr" field which is 1.1.1.1 or you can select your public interface from the interface list. After that click on the "Advanced" tab.


In the "Advanced" tab, we will select the source NAT interface and the destination NAT interface. The source NAT interface is that which will be translated. And the destination NAT interface is one whose address will be used to translate the source interface.

Now select your "inside" interface or the LAN interface from the "Source Interface" field. Because we are going to translate the local private IP address to the public one. Then select your "outside" interface from the "Destination Interface" field. Then click on the "OK" button to close this window.


Finally, click on the "OK" button to save this network object rule. Now click on the "Apply" button to save these changes into the "Running-Config".


All the required configuration is done to connect to the internet. One final thing we have to do that create an access rule to allow the traffic from inside to the outside network. By default, the firewall blocks all the traffic from inside to outside interface and outside to inside interface also. We will create an access rule that allows all the traffic coming from the inside interface and intended to go to the outside network or the internet.

To create an access rule, go to the "Firewall" option and click on the "Access Rules" from the firewall configuration page. Then click on the "Add" button to add a new rule.


Now we will select the interface from the drop-down list on which we will deploy this ACL. Here, we will select the "outside" interface because we are going to apply this ACL in the outside interface. Click on the "Permit" radio button as the "Action" field value. Keep the default value in the source and destination field. Leave the default value for the "service" field also. Then expand the "More Options" feature.


Here, make sure the "Enable Rule" tick button is ticked. Now click on the "Out" radio button as the "Traffic Direction" value. Because we create this ACL to allow the outgoing traffic from inside to the outside interface. After then click on "OK" to add this ACL into the "ACL List".


All the things are done. Now firewall will allow any traffic from inside to the outside interface coming from any source address. From now on all the local users can connect to the internet.


No comments:

Post a Comment