topic Re: static (outside , inside) in Network Security

static (outside , inside)

Ganesan Palaniappan — Tue, 12 Mar 2019 00:57:29 GMT

Hi All,

I want to achieve the below scenario with static NAT.

1. I have a firewall which is having two legs ( inside and outside). As usual inside security is 100 and outside is 0.

We have done a PAT for all the inside networks to access the outside network. Now the requirement is i have server in outside network which should be accessed by the inside network with a help inside ip address itself ( mapping the server to a free inside ip address and all the inside hosts will connect to the inside ip which intun communicates the outside ip address)

We tried to achieve the above using static (outside,inside ) command , but somewhat we are unable to communicate.

We created ACL as permint ip any any and applied on the both the interface. Proper route has been added in the Firewall to the ouside network and also we added route in the Outside network L3 Switch for the firewall inside network.

Please help us !!!

Attached a sample diagram ...

Regards,

Gan.

static (outside , inside)

Jouni Forss — Thu, 07 Feb 2013 18:07:01 GMT

Hi,

So is the Firewall actually connected to Internet on the "outside" since you say that you have routed the "inside" network on the L3 switch behind the "outside" interface of the firewall?

If the "outside" side router really has a route to the "inside" network then I would try out this Policy NAT configurations

access-list SERVER-POLICY-NAT permit ip host 172.10.10.5 10.10.10.0 255.255.255.0

static (outside,inside) access-list SERVER-POLICY-NAT

Not sure if it will work though...

- Jouni

Re: static (outside , inside)

Ganesan Palaniappan — Sat, 09 Feb 2013 05:46:09 GMT

Hi,

I tried the above configuration, but it's not working...For your information please find the xlate entry

When i trying to reach one of the server from outside network ( 172.10.10.10) to inside network ( 10.10.10.183)

TCP outside (172.10.10.10):4405 inside 10.10.10.183:3389, idle 0:00:41, bytes 0, flags SaAB

The Inside NAT IP is 10.10.10.10

Regards,

Gan

static (outside , inside)

Jennifer Halim — Sat, 09 Feb 2013 06:22:18 GMT

To initiate a connection from the outside to inside, firstly you would need a static NAT statement for your inside host.

So if the inside host is 10.10.10.183, this host needs to be statically NATed first (dynamic PAT won't work because that only works for outbound connection).

So static NAT for the inside host as follows:

If you don't want to NAT, then:

static (inside,outside) 10.10.10.183 10.10.10.183 netmask 255.255.255.255

If you want to NAT, then:

static (inside,outside) x.x.x.x 10.10.10.183 netmask 255.255.255.255

Then to actually NAT the outside host to an inside address:

static (outside,inside) 10.10.10.10 172.10.10.10 netmask 255.255.255.255

Then "clear xlate" and test it.

Hope that helps.