Asa Firewall: Konfigurasi Dynamic Nat
I’m a passionate network system and security enthusiast with a knack for solving complex technical challenges. With extensive experience in troubleshooting and optimizing network infrastructures, I’m dedicated to ensuring systems run smoothly and securely. Through this blog, I share insights, tips, and innovative solutions to help you tackle and overcome network and security issues. Feel free to connect with me on LinkedIn or reach out via email at asrul@solusiber.com.
Pada artikel kali ini saya akan melakukan konfigurasi dynamic nat asa firewall. Berikut detail topologi yang saya gunakan.
FW1
- Gig1/1 : 103.111.248.1/24
- Gig1/2 : 192.168.1.1/24
- Gig1/3 : 192.168.2.1/24Server0
- Fa0 : 192.168.1.2/24PC0
- Fa0 : 192.168.2.2/24R1
- Fa0/0 : 103.111.248.2/24
- Fa0/1 : 192.168.3.1/24Laptop0
- Fa0 : 192.168.3.2/24
Basic Config FW1
FW1#show run
: Saved
:
ASA Version 9.6(1)
!
hostname FW1
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 103.111.248.1 255.0.0.0
!
interface GigabitEthernet1/2
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
shutdown
!
!
!
!
!
!
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
!
!
!
Basic Config R1
R1#show run
Building configuration...
Current configuration : 626 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2811/K9 sn FTX1017V8XO-
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 103.111.248.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Konfigurasi Dynamic NAT
Saya akan membuat dynamic nat untuk network 192.168.2.0/24 supaya bisa ping ke outside network. Tambahkan default route, buat object network dan lakukan inspection icmp packet.
FW1(config)#route outside 0.0.0.0 0.0.0.0 103.111.248.2
FW1(config)#object network inside-outside
FW1(config-network-object)#subnet 192.168.2.0 255.255.255.0
FW1(config-network-object)#nat (inside,outside) dynamic interface
FW1(config)#policy-map global_policy
FW1(config-pmap)#class inspection_default
FW1(config-pmap-c)#inspect icmp
Uji Coba
Lakukan ping dari PC0 ke Laptop0 dan cek di FW1 dengan command show nat/xlate.
FW1(config)#show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net
ICMP PAT from inside:192.168.2.2/21 to outside:103.111.248.1/41910 flags i idle 00:00:03, timeout 0:00:30
FW1(config)#show nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic inside-outside interface
translate_hits = 2, untranslate_hits = 1