Important changement dans la derniere version du Cisco Asa 8.3, la gestion du nat.
Adieu les lignes de commandes telles que:
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.1 smtp netmask 255.255.255.255
Place aux objets réseaux, par exemple, pour un nat dynamique:
object network ******
nat (inside,outside) dynamic interface
ou alors pour l'ouverture d'un service:
hostname(config)# object network my-ftp-server
hostname(config-network-object)# host 1.1.1.1
hostname(config-network-object)# nat (inside,outside) static interface service tcp 21 21
Un peu dépaysant lorsque l'on découvre le mode fonctionnement, ensuite, est-ce mieux? Un peu tôt pour le dire, ceci était ma première expérience.
Attention lors de l'ouverture de l'https pour un webmail par exemple:
hostname(config)# object network my-webmail-server
hostname(config-network-object)# host 1.1.1.1
hostname(config-network-object)# nat (inside,outside) static interface service tcp https https
Vous aurais systématiquement l'erreur :
unable to reserve port 443 for static PAT
La raison vient du fait que l'accès ASDM est possible depuis la patte wan, il faut donc supprimer cette possibilité.
D'autres exemples (site cisco):
Create a network object.
Within this object define the Real IP/Network to be translated.
Also within this object you can use the the nat commands to specifiy whether the translation will be dynamic or static.
Here are some examples on how to configure nat.
Configuring Dynamic NAT
The following example configures dynamic NAT that hides 192.168.2.0
network behind a range of outside addresses 12.166.123.1-12.166.123.10:
hostname(config)# object network my-range-obj
hostname(config-network-object)# range 12.166.123.1 12.166.123.10
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj
Dynamic PAT (Hide NAT)
The following example configures dynamic PAT that hides the 192.168.2.0 network behind address 12.166.123.2:
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic 12.166.123.2
The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic interface
Configuring Static NAT or Static NAT with Port Translation
The following example configures static NAT for the real host 1.1.1.1 on
the inside to 12.166.123.2 on the outside with DNS rewrite enabled.
hostname(config)# object network my-host-obj1
hostname(config-network-object)# host 1.1.1.1
hostname(config-network-object)# nat (inside,outside) static 12.166.123.2 dns
The following example configures static NAT for the real host 1.1.1.1 on
the inside to 12.166.123.2 on the outside using a mapped object.
hostname(config)# object network my-mapped-obj
hostname(config-network-object)# host 12.166.123.2
hostname(config-network-object)# object network my-host-obj1
hostname(config-network-object)# host 1.1.1.1
hostname(config-network-object)# nat (inside,outside) static my-mapped-obj
The following example configures static NAT with port translation for
1.1.1.1 at TCP port 21 to the outside interface at port 2121.
