Step 1: Setting up hostname
ciscoasa(config)# hostname XYZ01
XYZ01(config)#
Step 2: Configuring IP addresses on the interfaces
XYZ01(config)# interface ethernet 0/0
XYZ01(config-if)# nameif inside
XYZ01(config-if)# security-level 100
XYZ01(config-if)# ip address 192.168.1.1 255.255.255.0
XYZ01(config-if)# no shut
XYZ01(config)# interface ethernet 0/1
XYZ01(config-if)# nameif outside
XYZ01(config-if)# security-level 0
XYZ01(config-if)# ip address 10.1.1.1 255.255.255.252
XYZ01(config-if)# no shut
Step 3: Verifying Interfaces
XYZ01# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.1.1 YES manual up up
Ethernet0/1 10.1.1.1 YES manual up up
Ethernet0/2 unassigned YES unset administratively down up
Ethernet0/3 unassigned YES CONFIG administratively down up
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Step 4: Verifying outside connectivity
XYZ01# ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/164/360 ms
Step 5: configuring Nat
This setting meant the IPs you want should able to access internet. Usually it always your complete internal IP range. But in our scenario we are using only one subnet range and we want allow then can access internet.
XYZ01(config)# nat (inside) 1 192.168.1.0 255.255.255.0
Notice the command syntax specifically 1 this is always maps to global command. Now when we configure global we will say we want nat id 1 to be mapped with this global command. This make more sense when you have multiple nat ids, which will than give us flexibility to use different Public Ip addresses for different nat ids using global command
XYZ01(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
Notice in global command instead of mapping to Public IP address we used interface which will strating doing Port Address Translation (PAT) instead of NAT because we number of private IP addresses required to access internet.
Step 6: Verifying Nat Configuration
XYZ01# sho running-config nat
nat (inside) 1 192.168.1.0 255.255.255.0
XYZ01# sho running-config global
global (outside) 1 interface
Step 7: Configuring default route
XYZ01(config)# route outside 0 0 10.1.1.2
Notice 0 0 = 0.0.0.0 0.0.0.0 = Match All
Step 8: Check your connectivity with internet
XYZ01# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/110/130 ms
I will be trying put the same by using ASDM, somtime later in the week.
ciscoasa(config)# hostname XYZ01
XYZ01(config)#
Step 2: Configuring IP addresses on the interfaces
XYZ01(config)# interface ethernet 0/0
XYZ01(config-if)# nameif inside
XYZ01(config-if)# security-level 100
XYZ01(config-if)# ip address 192.168.1.1 255.255.255.0
XYZ01(config-if)# no shut
XYZ01(config)# interface ethernet 0/1
XYZ01(config-if)# nameif outside
XYZ01(config-if)# security-level 0
XYZ01(config-if)# ip address 10.1.1.1 255.255.255.252
XYZ01(config-if)# no shut
Step 3: Verifying Interfaces
XYZ01# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.1.1 YES manual up up
Ethernet0/1 10.1.1.1 YES manual up up
Ethernet0/2 unassigned YES unset administratively down up
Ethernet0/3 unassigned YES CONFIG administratively down up
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Step 4: Verifying outside connectivity
XYZ01# ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/164/360 ms
Step 5: configuring Nat
This setting meant the IPs you want should able to access internet. Usually it always your complete internal IP range. But in our scenario we are using only one subnet range and we want allow then can access internet.
XYZ01(config)# nat (inside) 1 192.168.1.0 255.255.255.0
Notice the command syntax specifically 1 this is always maps to global command. Now when we configure global we will say we want nat id 1 to be mapped with this global command. This make more sense when you have multiple nat ids, which will than give us flexibility to use different Public Ip addresses for different nat ids using global command
XYZ01(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
Notice in global command instead of mapping to Public IP address we used interface which will strating doing Port Address Translation (PAT) instead of NAT because we number of private IP addresses required to access internet.
Step 6: Verifying Nat Configuration
XYZ01# sho running-config nat
nat (inside) 1 192.168.1.0 255.255.255.0
XYZ01# sho running-config global
global (outside) 1 interface
Step 7: Configuring default route
XYZ01(config)# route outside 0 0 10.1.1.2
Notice 0 0 = 0.0.0.0 0.0.0.0 = Match All
Step 8: Check your connectivity with internet
XYZ01# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/110/130 ms
I will be trying put the same by using ASDM, somtime later in the week.
VERY NICE
ReplyDelete