Now we are going to configure the destination NAT process. We can call it outside to inside NAT. Generally, the destination NAT is used to make available an internal LAN server over the internet. If we want to make accessible one of our internal servers to the internet and at the same time we don’t want to use any public IP on that server, in that case, we have to use the destination NAT function. After deploying the destination NAT, we can take access our internal LAN server from the internet using our outside interface IP address or our public IP address. We can forward a specific port number to our internal LAN server using this destination NAT process. With that port number when any traffic will come to our outside interface than that traffic will be sent to our internal LAN server using the same port number. This process is called port forwarding.
In this tutorial, we are going to forward the "FTP" port to my local FTP server using the ASDM tool. This will allow access to our local FTP server from the outside network. This is also called the destination NAT. We will go through the step-by-step process.
After login into the firewall using ASDM, we will go to the "Configuration" tab and then we will click on the "Firewall" button from the left panel. After click on the "Firewall" button, we will select "NAT Rules" from the "Firewall Configuration Page".
Now click on the "Add" drop-down menu button and select "Add Network Object NAT Rule".
Now write a name for this entry into the "Name" field. We named it "FTP_Traffic_Forward". Please note that we can't use space in the name field. Now select the "Host" value from the "Type" parameter. Write the local FTP server IP address in the "IP Address" field. We assume that our FTP server IP address is 192.168.1.10.
Now we have to be sure that the "Add Automatic Address Translation Rules" button is ticked. Select the "Static" value from the drop-down menu in the "Type" field. Select your "Outside" interface in the "Translated Addr" field. Here, the outside interface is representing your WAN interface. In this example, our outside interface name is "outside".
Now click on the "Advanced" button.
In the "Advanced" settings, select your inside interface in the "Source Interface" field. Here, the inside interface is representing your LAN interface and we assume that our inside interface name is "inside". Now select your outside interface in the "Destination Interface" field. Here, the outside interface is representing your WAN interface. Make sure the "TCP" value is selected in the "Protocol" field. Now write your FTP service port number in the "Real Port" as well as in the "Mapped Port". We know that the default FTP service port number is 21.
[Note:- Here, the Real port is representing our local server FTP port number that is 21 and the Mapped port is representing the port number that is used to connect to my outside interface or our real IP address. ]
That's it. All the work is done. After click on the "OK" button and "Apply" the configuration, the new rule will ready to be worked. To apply this setting in the "Running-Config" just click on the "Apply" button.
One more thing we have to do. The traffic has to be allowed by ACL also. By default firewall drop all the traffic that is coming through the Outside interface. That's why we have to create an access control list in the "Outside" interface so that the traffic is not going to block by the firewall.
To add an ACL in the "Outside" interface click on the "Access Rules" button from the firewall configuration page.
To add an access rule click on the add button.
After opening the "Add Access Rule" window, select your outside interface from the "Interface" parameter. According to our scenario, our outside interface will be "Outside". Select the "Permit" radio button as we are going to allow the traffic through this ACL. For the "Source Criteria" and the "Destination Criteria" section, leave the default settings in the "Source" and "Destination" parameter boxes. As the default, the "Source" and "Destination" parameter values will be "any". After then click on the "Service" parameter box. Now write your service name that is "FTP" according to our scenario. During you enter the service name, you will be noticed that the list of the possible services is shown based on your keyword. Just select your desire one from that list.
After that click on the "More Options" drop-down button. Now click on the "In" radio button in the "Traffic Direction" parameter, since we are configuring the ACL to allow the traffic from outside networks that are intended to access our local network using the internet. Finally, click on "OK" to close this window.
Our outside interface to inside interface NAT configuration is done. From now on our local FTP server will be accessible from the internet. The firewall will allow all the traffic that is intended to go to the FTP server. This process also called the "Destination NAT".
No comments:
Post a Comment