In this section of the lab you will perform a quick experiment with PAT. Imagine the situation where you need to connect a network to the Internet when only residential class service is available from the ISP. You will have a single IP address to use, and you can’t predict what
SNAF v1.0 Lab Guide L3-11 © Global Knowledge Training LLC
dynamically assigned address will be from day to day. This is the scenario for this section of the lab. You will configure PAT, and instead of specifying a PAT address, you will instead use the keyword “interface”.
12. Configure PAT using the IP address assigned to the outside interface: 12.1. Access ASDM on the Admin PC.
12.2. Since the configuration was changed by the CLI, ASDM does not represent the
current configuration. To address this issue, click refresh in ASDM.
12.3. In ASDM, navigate to Configuration > Firewall > NAT Rules. Verify the NAT Rules table is empty and Enable traffic through the firewall without address translation is UNCHECKED.
12.4. Define PAT sourced from the inside interface. Under NAT Rules, select Add > Add
Dynamic NAT Rule. Fill in the Dynamic NAT Rule as follows:
x Original:
o Interface: inside
o Source: 10.10.0.0/16 (Be careful not to select /24!)
x Translated:
o Click Manage, then click Add.
o Interface: outside
o Pool ID: 1
o Select Port Address Translation (PAT) using IP Address of the
interface and click Add.
o Click OK, click OK.
x Click OK.
12.5. Repeat this process, but define PAT sourced from the DMZ interface. Under NAT Rules, select Add > Add Dynamic NAT Rule. Fill in the Dynamic NAT Rule as follows:
x Original:
o Interface: dmz
o Source: 172.16.1.0/24
x Translated:
o Select Pool ID 1 defined previously.
12.6. Verify that the NAT Rules table now looks like this:
12.7. Click Apply. The Preview CLI Commands window should display the following commands.. If what is shown appears correct click Send. If it is incorrect, click Cancel and retrace the past few steps.
nat (dmz) 1 172.16.1.0 255.255.255.0 tcp 0 0 udp 0 nat (inside) 1 10.10.0.0 255.255.0.0 tcp 0 0 udp 0 global (outside) 1 interface
Note The nat commands associated with the dmz and inside interfaces specify which source IP addresses are valid for translation and specify the NAT ID 1. The global command on the outside interface uses the matching NAT ID 1 and specifies the keyword interface instead of an IP address or range of IP addresses.
13. Verify the resulting behavior of the PAT configuration:
13.1. Use a Command Prompt window on the Admin PC to telnet to the Internet Router (100.100.1.1). Authenticate as admin with the password admin$Pwd.
Note Translating to the 200.200.1.0 public address space (specifically 200.200.1.2 in this case) will now allow connections to resources on the simulated Internet.
13.2. Move to the desktop of the DMZ server, and use a Command Prompt there to telnet to the Internet Router.
13.3. In the Telnet connection from the DMZ Server, issue the show users command. Verify that both connections appear to be coming from the ASA’s outside interface IP address (200.200.1.2).
InternetRouter>sh users
Line User Host(s) Idle Location vty 194 admin idle 00:04:11 200.200.1.2 * vty 195 admin idle 00:00:00 200.200.1.2 Interface User Mode Idle Peer Address
L3-13
© Global Knowledge Training LLC
13.4. Verify translation table on the ASA. Return to the SSH connection to the ASA running on the Admin PC and use the show xlate command.
GKL-ASA(config)# sh xlate
2 in use, 4 most used
PAT Global 200.200.1.2(1025) Local 172.16.1.15(1131) PAT Global 200.200.1.2(1024) Local 10.10.10.10(6671)
Note There should be at least 2 entries in the translation table. Note the translations are listed as PAT translations, and port numbers are listed.
13.5. Verify the port number in use on the Admin PC itself. Use a Command Prompt window to execute the command netstat –n.
c:\>netstat -n
Active Connections
Proto Local Address Foreign Address State TCP 10.10.10.10:4728 10.10.0.1:22 ESTABLISHED TCP 10.10.10.10:6612 10.10.0.1:443 ESTABLISHED TCP 10.10.10.10:6671 100.100.1.1:23 ESTABLISHED TCP 127.0.0.1:1038 127.0.0.1:47007 CLOSE_WAIT
Note There should be several entries in the Admin PC’s connection table. One should be from a high numbered port on itself (10.10.10.10) to port 23 on the Internet Router (100.100.1.1).
Note From the two example outputs above: The Admin PC is really using TCP source port 6671. The ASA is translating the source port to 1024. Hence, when the ASA receives and inbound packet destined for 200.200.1.2 port 1024, it knows to forward it to 10.10.10.10 port 6671.
14. Clean up for the next section of the lab:
14.1. On the DMZ Server, close the Telnet connection to the Internet Router. 14.2. On the Admin PC, close the Telnet connection to the Internet Router and the
command prompt used to verify the port via netstat. 14.3. In ASDM, clear the two dynamic NAT rules:
14.3.1.Highlight rule under the dmz interface and click Delete.
14.3.3.Click Apply. The Preview CLI Commands window should display commands like those following. If what is shown appears correct click Send. If it is incorrect, click
Cancel and retrace the past few steps.
no nat (inside) 1 10.10.0.0 255.255.0.0
clear xlate interface inside local 10.10.0.0 netmask 255.255.0.0 no nat (dmz) 1 172.16.1.0 255.255.255.0
clear xlate interface dmz local 172.16.1.0 netmask 255.255.255.0
Note This command transcript removed the two nat commands, and it cleared associated entries from the translation table. It did not, however, remove the global (outside) 1 interface command. This will be cleaned up in the next section of the lab.