Asa Firewall: Konfigurasi Dynamic Nat

Pada artikel kali ini saya akan melakukan konfigurasi dynamic nat asa firewall. Berikut detail topologi yang saya gunakan.

  • FW1
    - Gig1/1 : 103.111.248.1/24
    - Gig1/2 : 192.168.1.1/24
    - Gig1/3 : 192.168.2.1/24

  • Server0
    - Fa0 : 192.168.1.2/24

  • PC0
    - Fa0 : 192.168.2.2/24

  • R1
    - Fa0/0 : 103.111.248.2/24
    - Fa0/1 : 192.168.3.1/24

  • Laptop0
    - Fa0 : 192.168.3.2/24

Basic Config FW1

FW1#show run
: Saved
:
ASA Version 9.6(1)
!
hostname FW1
names
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 103.111.248.1 255.0.0.0
!
interface GigabitEthernet1/2
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/4
 no nameif
 no security-level
 no ip address
 shutdown
!
interface GigabitEthernet1/5
 no nameif
 no security-level
 no ip address
 shutdown
!
interface GigabitEthernet1/6
 no nameif
 no security-level
 no ip address
 shutdown
!
interface GigabitEthernet1/7
 no nameif
 no security-level
 no ip address
 shutdown
!
interface GigabitEthernet1/8
 no nameif
 no security-level
 no ip address
 shutdown
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
 shutdown
!
!
!
!
!
!
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp 
  inspect tftp 
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
!
!
!

Basic Config R1

R1#show run
Building configuration...

Current configuration : 626 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2811/K9 sn FTX1017V8XO-
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 103.111.248.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

Konfigurasi Dynamic NAT

Saya akan membuat dynamic nat untuk network 192.168.2.0/24 supaya bisa ping ke outside network. Tambahkan default route, buat object network dan lakukan inspection icmp packet.

FW1(config)#route outside 0.0.0.0 0.0.0.0 103.111.248.2 

FW1(config)#object network inside-outside
FW1(config-network-object)#subnet 192.168.2.0 255.255.255.0
FW1(config-network-object)#nat (inside,outside) dynamic interface

FW1(config)#policy-map global_policy
FW1(config-pmap)#class inspection_default
FW1(config-pmap-c)#inspect icmp

Uji Coba

Lakukan ping dari PC0 ke Laptop0 dan cek di FW1 dengan command show nat/xlate.

FW1(config)#show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net
ICMP PAT from inside:192.168.2.2/21 to outside:103.111.248.1/41910 flags i idle 00:00:03,  timeout 0:00:30

FW1(config)#show nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic inside-outside interface
    translate_hits = 2, untranslate_hits = 1