If you do not want to expose your server’s IP address to an external client you can use Network Address Tranalation (NAT) to hide it. For example if your servers IP address is 192.168.0.10 then you can publish it to an external client as 10.0.0.10. The reason you would do this is to enhance the security of your server, you want to make the hacker earn their self pride or whatever it is that motivates them.
There are many ways to achieve this, NAT, VIP, MIP etc. In this article I will explain NAT (natting) on a Cisco PIX, ASA or router.
First you need to log onto the firewall or router. Enter en (enable) to get into the privilege mode, you will then be prompted for the password. Enter Config T to get into the configure terminal mode. You can now start confguring the network appliance.
Below is what your should see in the running config after you complete the configuration.
static (inside,outside) 172.210.10.10 11.12.13.10 netmask 255.255.255.255 0 0
The above line means that the IP address 172.210.10.10 (outside interface) is mapped to 11.12.13.10 (inside interface). Clients in the outside interface will connect to resources on 11.12.13.10 by referencing the natted (NAT) IP 172.210.10.10.
You also need to configure the access list or policy to allow traffic from the outside interface to flow into the inside interface. The access list then needs to be applied to the outside intefrace.
access-list Allowed_Traffic permit tcp host any host 172.210.10.10 eq www log
The above means that the name of the access list is Allowed_Traffic. Permit TCP traffic from any host to 172.210.10.10, only allow if service request is for www (TCP port 80), and log all traffic.
You then need to apply the access list to the outside interface.
access-group Allowed_Traffic in interface outside
2 comments for “Configuring NAT on the Cisco PIX or ASA firewalls.”