topic Re: A basic NAT question in Network Security

A basic NAT question

bindong.shi — Tue, 12 Mar 2019 00:07:53 GMT

I would like to ask a basic NAT question, please find the attached diagram, the firewall has 2 interfaces: Inside and outside. we have a web server hosted inside the firewall offerring web services to Internet users.

The server private IP address is 192.168.1.10 and a Public IP: 2.2.2.2;

The firewall only allow certain IP range from Internet (3.3.3.0/24)to access the server via TCP port 80;

Firewall need to do NAT to translate the 2.2.2.2 to 192.168.1.10

Please find my configuration:

object network InsidePrivateIP

host 192.168.1.10

object network InsidePublicIP

host 2.2.2.2

object network OutsideNetwork

subnet 3.3.3.0 255.255.255.0

nat (outside,inside) source static OutsideNetwork OutsideNetwork destination static InsidePublicIP InsidePrivateIP

I would like to know Whether my (outside, inside) sequence is correct or not, because the server is accepting the incoming HTTP request.

And can I use a simpler way to implement it:

object network InsidePublicIP

host 2.2.2.2

nat (outside,inside) static 192.168.1.10

and create the ACL to allow the traffic:

source IP: 3.3.3.0/24

source port: any

destination IP: 2.2.2.2

destination port:80

thanks in advance, I will rate your reply.

Re: A basic NAT question

Jennifer Halim — Thu, 11 Oct 2012 15:13:29 GMT

Your simpler way is the correct way but it should have been as follows:

object network serverIP

host 192.168.1.10

nat (inside,outside) static 2.2.2.2

access-list outside-acl permit tcp 3.3.3.0 255.255.255.0 object serverIP eq 80

access-group outside-acl in interface outside

Message was edited by: Jennifer Halim

Re: A basic NAT question

bindong.shi — Thu, 11 Oct 2012 15:23:41 GMT

thanks for your prompt reply.

Can you please let me know where is the problem for first configuration?

A basic NAT question

Jennifer Halim — Thu, 11 Oct 2012 15:30:51 GMT

With the first configuration, you still need to configure the access-list as well, as NAT is not enough to restrict traffic from specific subnet.

Also, the format should have been as follows:

nat (inside,outside) source static InsidePrivateIP InsidePublicIP destination static OutsideNetwork OutsideNetwork

Why make it so complicated when you can configure it the simpler way, right?

Re: A basic NAT question

bindong.shi — Thu, 11 Oct 2012 15:39:57 GMT

yes, you are right, the simpler, the better.

andshouldn't be "nat (outside,inside)"? since the traffic is incoming traffic, that is also the part i am confused:

accorrding cisco document, it is "nat (inside,outside)", but when i configure the FW using GUI, I select the source (outside) interface and destinatio interface (inside), the command line is "nat (outside,inside)".

thanks.

Re: A basic NAT question

Jennifer Halim — Thu, 11 Oct 2012 19:59:59 GMT

When you configure NAT translation, normally you look at it from the inside host perspective as that is the source to be NATed and inside has higher security level than outside.

Static NAT statement is bi-directional, so when you configure it with "nat (inside,outside)", it works for the other direction too.