topic Re: Static PAT using Auto-NAT vs. Manual-NAT in Network Security

Static PAT using Auto-NAT vs. Manual-NAT

whistleblower14 — Fri, 21 Feb 2020 16:58:28 GMT

Hi to all,

on the basis of a re-certification I am dealing with the NAT topic more intensively the last few days and I`d like to ask the following question. I want to implement the following static PAT for Telnet Access from external to Outside-IP: 200.200.200.200 (Inside-IP Server01 = 192.168.1.4)

because in object NAT (Auto-NAT) only a single NAT statement can be used per object. I'd have to create an object for each port to be forwarded - it is for the same internal host, so i'd like to know if I can accomplish that task with the respective configurations and if there are any advantages or disadvantages between them...

(1)

object network obj-host-200.200.200.200_TCP-23

host 200.200.200.200

object network obj-host-200.200.200.200_TCP-2323

host 200.200.200.200

object network obj-host-192.168.1.4_TCP-23

host 192.168.1.4

nat (inside,outside) static obj-host-200.200.200.200_TCP-23 service tcp 23 23

object network obj-host-192.168.1.4_TCP-2323

host 192.168.1.4

nat (inside,outside) static obj-host-200.200.200.200_TCP-2323 service tcp 2323 23

or maybe this works also?

object network obj-host-200.200.200.200

host 200.200.200.200

object network obj-host-192.168.1.4_TCP-23

host 192.168.1.4

nat (inside,outside) static obj-host-200.200.200.200 service tcp 23 23

object network obj-host-192.168.1.4_TCP-2323

host 192.168.1.4

nat (inside,outside) static obj-host-200.200.200.200 service tcp 2323 23

versus

(2)

object service TCP-23

service tcp destination eq 23

object service TCP-2323

service tcp destination eq 2323

object network obj-host-192.168.1.4

host 192.168.1.4

object network obj-host-200.200.200.200

host 200.200.200.200

nat (outside,inside) source static any any destination static obj-host-200.200.200.200 obj-host-192.168.1.4 service TCP-23 TCP-23

nat (outside,inside) source static any any destination static obj-host-200.200.200.200 obj-host-192.168.1.4 service TCP-2323 TCP-23

Re: Static PAT using Auto-NAT vs. Manual-NAT

Marius Gunnerud — Sat, 23 Mar 2019 15:17:05 GMT

The main difference between manual NAT and after-auto manual NAT versus object NAT is the way NAT statements are matched. In manual NAT and after-auto manual NAT statements are matched in a top down fashion, while in object NAT, NAT statements are matched on the longest prefix match.

As for your configuration examples. I am not sure why you are creating two objectes for both 200.200.200.200 and 192.168.1.4. the object just needs to be created once and then you can reuse them in several NAT statements if wanted. But your configuration look correct.

Your manual NAT statement, here I disagree with using outside NAT statements unless there is a very good reason for doing so. Your NAT statements should be sourced from inside to outside. If you have configured outside NAT incorrectly you could also see some unexpected behavior depending on how you network is set up.

Re: Static PAT using Auto-NAT vs. Manual-NAT

whistleblower14 — Sat, 30 Mar 2019 06:11:16 GMT

Hi @Marius Gunnerud ,

first of all - thank you for responding to my questions!

of course the first statement according the two objectes for both 200.200.200.200 and 192.168.1.4 would`t be necessary but for the second one (see as follows), the Object NAT-PAT (200.200.200.200 is pointing back with two different TCP/Ports it is, or not?

object network obj-host-192.168.1.4_TCP-23
host 192.168.1.4
nat (inside,outside) static obj-host-200.200.200.200 service tcp 23 23
!
object network obj-host-192.168.1.4_TCP-2323
host 192.168.1.4
nat (inside,outside) static obj-host-200.200.200.200 service tcp 2323 23

about the Manual-NAT... is there any official Cisco recommendation for doing only NAT sourced from inside->outside or is this your personal experience? Maybe you can point me out some unexpected behaviors from your Knowledge which could be caused?