Asa Firewall: Konfigurasi Dynamic Nat
Pada artikel kali ini saya akan melakukan konfigurasi dynamic nat asa firewall. Berikut detail topologi yang saya gunakan.
FW1
- Gig1/1 : 103.111.248.1/24
- Gig1/2 : 192.168.1.1/24
- Gig1/3 : 192.168.2.1/24Server0
- Fa0 : 192.168.1.2/24PC0
- Fa0 : 192.168.2.2/24R1
- Fa0/0 : 103.111.248.2/24
- Fa0/1 : 192.168.3.1/24Laptop0
- Fa0 : 192.168.3.2/24
Basic Config FW1
FW1#show run
: Saved
:
ASA Version 9.6(1)
!
hostname FW1
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 103.111.248.1 255.0.0.0
!
interface GigabitEthernet1/2
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
shutdown
!
!
!
!
!
!
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
!
!
!
Basic Config R1
R1#show run
Building configuration...
Current configuration : 626 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2811/K9 sn FTX1017V8XO-
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 103.111.248.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Konfigurasi Dynamic NAT
Saya akan membuat dynamic nat untuk network 192.168.2.0/24 supaya bisa ping ke outside network. Tambahkan default route, buat object network dan lakukan inspection icmp packet.
FW1(config)#route outside 0.0.0.0 0.0.0.0 103.111.248.2
FW1(config)#object network inside-outside
FW1(config-network-object)#subnet 192.168.2.0 255.255.255.0
FW1(config-network-object)#nat (inside,outside) dynamic interface
FW1(config)#policy-map global_policy
FW1(config-pmap)#class inspection_default
FW1(config-pmap-c)#inspect icmp
Uji Coba
Lakukan ping dari PC0 ke Laptop0 dan cek di FW1 dengan command show nat/xlate.
FW1(config)#show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net
ICMP PAT from inside:192.168.2.2/21 to outside:103.111.248.1/41910 flags i idle 00:00:03, timeout 0:00:30
FW1(config)#show nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic inside-outside interface
translate_hits = 2, untranslate_hits = 1