topic NAT configuration help. in Network Security

NAT configuration help.

khaled alodat — Tue, 12 Mar 2019 05:49:29 GMT

Hi,

I've three question please.

1- I have one public ip only, any on the outside need to access a server on the inside on port Ex: 5000

i think the command should start : nat ( outside, inside) ....

2- some users online they implemented a similar scenario using the command nat (inside, outside) , what is the difference?

3- when I use unidirectional ? can you please give a real example

Thanks,

Khaled

Khaledq1) it should be "nat

Jon Marshall — Thu, 23 Apr 2015 13:05:42 GMT

Khaled

q1) it should be "nat (inside,outside) .." and not as you think it should

q2) it is all relative to the interfaces on the ASA -

s1 (192.168.10.2) -> (inside - 192.168.10.1) ASA (outside - 193.10.10.1) -> internet -> c1 (195.16.16.1)

if you do a "nat (inside,outside) for S1 to be translated to 193.10.10.1 then that what that means is -

if c1 sends a packet to 193.10.10.1 the destination IP is translated to 192.168.10.2 and if s1 sends a packet to c1 the source IP is translated to 193.10.10.1

if you do a "nat (outside,inside) for c1 to be translated to the inside interface IP of the ASA then -

a packet from c1 to s1 translates the source IP to 192.168.10.1 and a packet from s1 to c1 translates the destination IP from 192.168.10.2 to 195.16.16.1.

so it entirely depends on what you are trying to achieve.

The "nat (inside,outside) ..." type of statement is a lot more common than the "nat (outside,inside) .." type of statement.

q3) with static NAT traffic can be initiated from either side ie. s1 could send the first packet to c1 or c1 could send the first packet to s1 and as long as you allowed that with an acl it would work.

Using the unidirectional keyword limits which direction the traffic can be initiated from.

I have never used it.

Jon

Hi Jon, Thank you for your

khaled alodat — Mon, 27 Apr 2015 09:55:40 GMT

Hi Jon,

Thank you for your help.

could you please help me with the real scenario :

I have one public IP used of overload, which mean a 1 to 1 is not an option for me for in what am trying to do.

We have devices all over the world with mobile sim card for internet ( its like a GPS device) , this device need to connect to a server on the DMZ on port 7000 .

Thanks again for your help.

Khaled

Hi,This you would be able to

Vibhor Amrodia — Mon, 27 Apr 2015 11:13:18 GMT

Hi,

This you would be able to configure using a Static PAT(Port Forward).

This means that you will use only a single port of the public Address and map it to a port of your internal server.

This helps you to use a single public ip for mapping to multiple internal servers on unique ports.

NOTE:- You would only be able to use a unique port every time for the public IP address.

In your requirement:-

object network obj-internalserverip

host <IP address of the internal server>

nat (inside,outside) static <Public IP> service tcp 5000 5000

object network obj-dmzserverip

host <IP address of the dmz server>

nat (dmz,outside) static <Public IP> service tcp 7000 7000

With this open an acl on the Outside interface for the inbound traffic to the server's real IP

For ex:-

access-list <ACL name which is on the outside interface> permit tcp any object obj-internalserverip eq 5000

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor,Thank you for your

khaled alodat — Mon, 27 Apr 2015 13:36:51 GMT

Hi Vibhor,

Thank you for your reply .

Could you write the command in one line, i dont want to use object nat.

real source : any (public) ,Real Destination Outsied interface: port 7000 , natted destination : 10.10.10.10 port 7000

i'm a bit confused

Thanks,