Configuring NAT on the Cisco PIX or ASA firewalls.

If you do not want to expose your server’s IP address to an external client you can use Network Address Tranalation (NAT) to hide it. For example if your servers IP address is 192.168.0.10 then you can publish it to an external client as 10.0.0.10. The reason you would do this is to enhance the security of your server, you want to make the hacker earn their self pride or whatever it is that motivates them.

There are many ways to achieve this, NAT, VIP, MIP etc. In this article I will explain NAT (natting) on a Cisco PIX, ASA or router.

First you need to log onto the firewall or router. Enter en (enable) to get into the privilege mode, you will then be prompted for the password. Enter Config T to get into the configure terminal mode. You can now start confguring the network appliance.

Below is what your should see in the running config after you complete the configuration.

static (inside,outside) 172.210.10.10 11.12.13.10 netmask 255.255.255.255 0 0

The above line means that the IP address 172.210.10.10 (outside interface) is mapped to 11.12.13.10 (inside interface). Clients in the outside interface will connect to resources on 11.12.13.10 by referencing the natted (NAT) IP 172.210.10.10.

You also need to configure the access list or policy to allow traffic from the outside interface to flow into the inside interface. The access list then needs to be applied to the outside intefrace.

access-list Allowed_Traffic permit tcp host any host 172.210.10.10 eq www log

The above means that the name of the access list is Allowed_Traffic. Permit TCP traffic from any host to 172.210.10.10, only allow if service request is for www (TCP port 80), and log all traffic.

You then need to apply the access list to the outside interface.

access-group Allowed_Traffic in interface outside

About Andrew Lin

Hi,
I have always wanted to creat a blog site but never had the time. I have been working in Information Technology for over 15 years. I specialize mainly in networks and server technologies and dabble a little with the programming aspects.

Andrew Lin

View all posts by Andrew Lin →

2 Comments on “Configuring NAT on the Cisco PIX or ASA firewalls.”

  1. That depends on what excatly you mean by communicaton? What services are you trying to publish on the server? You need to open specific access for each services on the server’s local firewall.

    Click on Start – Control Panel – Windows Firewall. Go to the Exceptions tab and add the port or program you wish to publish.

  2. Pingback: How do you get client a machine and server to communicate without disabling firewall on server? | Technical Help

Leave a Reply

Your email address will not be published. Required fields are marked *