Basic ASA NAT Configuration: Webserver in the DMZ in ASA Version 8.3 and later

Примерна топология

В топологията вътрешната LAN мрежа (inside), която е свързана към ASA0 използва IPv4 адреси 10.0.0.0/8.

Мрежата между ASA0 (модел 5505) и RBB използва IPv4 адреси 194.141.69.0/24.

Към RBB е свързана и мрежа 8.0.0.0/8.

Базова конфигурация на ASA0

Интерфейси

enable
configure terminal

interface vlan 1
nameif inside
ip address 10.0.0.1 255.0.0.0

interface vlan 2
nameif outside
ip address 194.141.69.1 255.255.255.0

interface ethernet0/0
switchport access vlan 2

DHCP за мрежа 10.0.0.0 (опционално)

enable
configure terminal 

dhcpd address 10.0.0.2-10.0.0.100 inside 
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside

Път по подразбиране (default route) на ASA0

enable
configure terminal

route outside 0.0.0.0 0.0.0.0 194.141.69.2

NAT (PAT) на ASA0

enable
configure terminal

object network INSIDE_NET
subnet 10.0.0.0 255.0.0.0
nat (inside,outside) dynamic interface

Разрешаване на изходящ трафик от ASA0 (за проверка на NAT)

enable
configure terminal

access-list PERMIT_TCP permit tcp any any
access-group PERMIT_TCP out interface outside
access-group PERMIT_TCP in interface outside

Ctrl+C/Ctrl+V

ASA

enable
configure terminal
interface vlan 1
nameif inside
ip address 10.0.0.1 255.0.0.0
interface vlan 2
nameif outside
ip address 194.141.69.1 255.255.255.0
interface ethernet0/0
switchport access vlan 2
exit
dhcpd address 10.0.0.2-10.0.0.100 inside 
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
route outside 0.0.0.0 0.0.0.0 194.141.69.2
access-list PERMIT_TCP permit tcp any any
access-group PERMIT_TCP out interface outside
access-group PERMIT_TCP in interface outside
object network INSIDE_NET
subnet 10.0.0.0 255.0.0.0
nat (inside,outside) dynamic interface
end

RBB

enable
configure terminal
hostname R1
interface FastEthernet0/0
ip address 194.141.69.2 255.255.255.0
no shut
interface FastEthernet0/1
ip address 8.0.0.1 255.0.0.0
no shut
end