topic Re: NAT Question in Network Security

NAT Question

mistryj — Tue, 12 Mar 2019 01:35:39 GMT

I have a dynamic nat below that allows web traffic from specified networks in group Inside-ext to be nated to a single address below :-

nat (inside,outside) source dynamic Inside-ext obj-10.50.50.1

Is it possible to have multiple dynamic nat for other services like RDP, Citrix etc to be nated different hosts ?

Sent from Cisco Technical Support iPhone App

Re: NAT Question

Jouni Forss — Fri, 26 Apr 2013 19:27:53 GMT

Hi,

I think the Dynamic PAT you configured above applies to any TCP/UDP traffic heading from "inside" to "outside" for the hosts/networks specified under "Inside-ext"

Just to give a couple of examples of how we could do Dynamic PAT to different public IP address depending on the destination service/port

Lets do for example

Own Dynamic PAT for TCP/80 , TCP/443 and TCP/8080
Own Dynamic PAT for TCP/3389

IP address/network information

2 LAN networks
- 10.10.10.0/24
- 10.10.20.0/24
2 Public IP addresses
- 1.1.1.2
- 1.1.1.3

Dynamic PAT Configurations for TCP/80 , TCP/443 and TCP/8080

WEB-PAT-SOURCE = Defines the source addresses/networks for this NAT configuration
PAT-1.1.1.2 = Defines the PAT address to be used
TCP80, TCP443, TCP8080 = Defines the destination TCP ports for which this NAT supposed to apply

object-group network WEB-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

object network PAT-1.1.1.2

host 1.1.1.2

object service TCP80

service tcp destination eq www

object service TCP443

service tcp destination eq 443

object service TCP8080

service tcp destination eq 8080

nat (inside,outside) source dynamic WEB-PAT-SOURCE PAT-1.1.1.2 service TCP80 TCP80

nat (inside,outside) source dynamic WEB-PAT-SOURCE PAT-1.1.1.2 service TCP443 TCP443

nat (inside,outside) source dynamic WEB-PAT-SOURCE PAT-1.1.1.2 service TCP8080 TCP8080

Dynamic PAT for TCP/3389

RDP-PAT-SOURCE = Defines the source addresses/networks for this NAT configuration
PAT-1.1.1.3 = Defines the PAT address to be used
TCP3389 = Defines the destination TCP ports for which this NAT supposed to apply

object-group network RDP-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

object network PAT-1.1.1.3

host 1.1.1.3

object service TCP3389

service tcp destination eq 3389

nat (inside,outside) source dynamic RDP-PAT-SOURCE PAT-1.1.1.3 service TCP3389 TCP3389

Naturally as always, even though these configurations should work, you SHOULD ALWAYS look at the big picture and make sure that these dont break any existing functionality.

Hope this helps Please mark the question as answered if it did or rate helpfull answers

Naturally ask more if needed

- Jouni

Re: NAT Question

j44mistry — Sat, 27 Apr 2013 18:00:37 GMT

Thank you for your reply , I have just one question.

Is there a way to group the udp and tcp ports together in a single group for Citrix service or do I have to list them individually ?

Re: NAT Question

Jouni Forss — Sat, 27 Apr 2013 18:17:11 GMT

Hi,

Seems to me that you cant use "object-group service " type of objects in the new NAT configurations. And as the "object service" can only contain one destination and/or source service port (or range of them etc) means you cant really group them.

It seems to me at its current state you will simply have to use separate NAT statement with its port or range of ports per TCP/UDP if you want to configure this way.

Please remember to mark the question as answered if it did. Or rate helpfull answers

Naturally ask more if you need

- Jouni

NAT Question

j44mistry — Sat, 27 Apr 2013 18:42:01 GMT

Thanks very much for your help on this much appreciated !