topic Re: Outside Static Nat in Network Security

Outside Static Nat

jack samuel — Mon, 11 Mar 2019 21:42:14 GMT

i have thought many times about outside Nat but i m confused when will be such situation that we will require outside NAT.Can anybody give me best example of real Network, and explain me the traffic flow i have read in book but still it is not clear.
In FWSM interface with higher security level when access to lower security level we only need access-list, NAT is not reqiured, Is it i m on the correct path???? or this is misunderstood.

Thanks

Re: Outside Static Nat

Jon Marshall — Tue, 25 Oct 2011 20:53:25 GMT

Jack

An example of where i have used static NAT. We had a lab setup conected to our prod network with a firewall ie.

prod network -> (inside interface) pix (outside interface) -> lab

so the pix was there to protect the prod network from the lab. In the lab we had 172.16.x.x addressing but our prod network used 10.228.x.x addressing and we didn't want to add 172.16.x.x addresses to our routing tables in prod. So we did this on the pix -

static (outside,inside) 10.228.56.10 172.16.10.1 netmask 255.255.255.255

then we could connect to 10.228.56.10 from prod and it was translated to 172.16.10.1 in the lab.

Basically what you are doing this command is you are translating the destination IP as you go from the inside to outside interfaces of the pix. Compare this with a normal static (inside,outside).. command ie.

static (inside,outside) 10.228.56.10 172.16.10.1 netmask 255.255.255.255 means -

1) a packet coming from the inside of the pix with a source IP of 172.16.10.1 will be translated to 10.228.56.10

2) a packet coming from the outside of the pix with a destination IP of 10.228.56.10 will be translated to 172.16.10.1

static (outside,inside) 10.228.56.10 172.16.10.1 netmask 255.255.255.255. means -

1) a packet coming from the inside with a destination of 10.228.56.10 will be translated to 172.16.10.1

2) a packet coming from the outside with a source IP of 172.16.10.1 will be translated to 10.228.56.10

With the FWSM you do indeed need an acl from higher to lower which is different from the standalone pix/ASA devices.

Whether or not you need NAT depends. If you have nat-control turned off then you do not need NAT. If it is turned on then if i remember correctly you do need it.

Jon

Re: Outside Static Nat

jack samuel — Thu, 27 Oct 2011 20:03:08 GMT

Thanks Jon

U have explained very well .

For FWSM i have 50 interface vlan's so to managed them by Nat it is very difficult so we have disable nat-control but on 2 interface i m using NAT

int vlan 2

ip add 10.10.2.254 255.255.255.0

nameif vlan2

security-level 90

int vlan 3

ip add 10.10.3.254 255.255.255.0

nameif vlan3

security-level 25

nat (vlan3,vlan2) 10.10.2.2 10.10.3.2 netmask 255.255.255.255

Can you explain me what's the above command doing, please have a look on security-level.

Thanks

Re: Outside Static Nat

Jon Marshall — Thu, 27 Oct 2011 22:46:51 GMT

nat (vlan3,vlan2) 10.10.2.2 10.10.3.2 netmask 255.255.255.255

Can you explain me what's the above command doing, please have a look on security-level

Not entirely sure. Is that the whole NAT config ie. shouldn;t that be -

static (vlan3, vlan2) 10.10.2.2 10.10.3.2 netmask 255.255.255.255

or if it is nat and not static at the beginning is there any other config to go with it ?

Jon

Re: Outside Static Nat

jack samuel — Thu, 27 Oct 2011 23:09:18 GMT

Hello dear,

i m absolutely sorry, I missed static word

it is

static (vlan3, vlan2) 10.10.2.2 10.10.3.2 netmask 255.255.255.255

pls have a look at security level for both the vlans in the above mail.

In the Below scenario what will be static Nat statements if i want to use a lower-security level first such as ( outside,inside) and PCB wants to access PCA. I know that by static (inside,outside) will work becz traffic is bidirectional but purposely i want to use (outside inside)

PC-A---------inside----------outside-----------------------PCB

Outside Static Nat

Jon Marshall — Thu, 27 Oct 2011 23:16:56 GMT

Well it doesn't make a lot of sense.

Basically, as far as i can tell, it says -

from vlan 3 if you connect to the destination IP 10.10.2.2 then translate to 10.10.3.2

Jon

Re: Outside Static Nat

jack samuel — Thu, 27 Oct 2011 23:21:35 GMT

Hello jon,

PC-A ip is 172.16.10.1

PC-B ip is 172.16.5.1

PC-A---------inside----------outside-----------------------PCB

172.16.10.1

Outside Static Nat

Jon Marshall — Thu, 27 Oct 2011 23:37:44 GMT

You don't use it like this.

If you want to present a device on a higher level interface to a lower level interface you use static (inside,outside). So that's what you would use in the above case.

you would simply do -

static (inside,outside) x.x.x.x 172.16.10.1 netmask 255.255.255.255

where x.x.x.x is the address you want to present to PCB.

You can't just simply decide to use a static (outside,inside) ... statement instead as it is used for a different purpose.

Jon

Re: Outside Static Nat

jack samuel — Thu, 27 Oct 2011 23:47:24 GMT

Well Dear

Please be pateints with me and i appreciate ur help. i will tell u the fact.

Below configs are on the FWSM, the real ip is 10.10.3.2 and the virtual IP is 10.10.2.2,. what i m understanding from the below static command is that the real IP 10.10.3.2 (vlan 3) when comes in FWSM to access vlan 2 it will be translated to 10.10.2.2 and the users in vlan 2 will see the packet is from 10.10.2.2,

Is it i m on the correct path?????????????????????????????????????????????

int vlan 2

ip add 10.10.2.254 255.255.255.0

nameif vlan2

security-level 90

int vlan 3

ip add 10.10.3.254 255.255.255.0

nameif vlan3

security-level 25

static (vlan3,vlan2) 10.10.2.2 10.10.3.2 netmask 255.255.255.255

Outside Static Nat

Maykol Rojas — Fri, 28 Oct 2011 04:21:35 GMT

Correct,

I always teach this kind of the statics the same way, what you need to see is the following:

(Real,mapped) Mapped Real

The concept is exactly the same, what changes is the name only, (Outside Nat, Destination Nat etc etc) They are configured the same.

Mike

Re: Outside Static Nat

Jon Marshall — Fri, 28 Oct 2011 12:04:26 GMT

Jack

static (outside,inside) 10.228.56.10 172.16.10.1 netmask 255.255.255.255. means -

1) a packet coming from the inside with a destination of 10.228.56.3 will be translated to 172.16.10.1

2) a packet coming from the outside with a source IP of 172.16.10.1 will be translated to 10.228.56.3

seems i can't even read my own posts

static (vlan3,vlan2) 10.10.2.2 10.10.3.2 netmask 255.255.255.255

ie. a packet coming from vlan3 with a source IP of 10.10.3.2 will be translated to 10.10.2.2 on vlan 2 just as you say.

Sincere apologies for the confusion and many thanks to Mike for clarifying things.

Jon

Re: Outside Static Nat

jack samuel — Sat, 29 Oct 2011 08:22:36 GMT

Hello Dears,

I want to use static (outside,inside) for the 2 scenarios of the diagram.Can you tell me what will be the static command and is it static (outside,inside) command will be applicable on both the secnarios.

Please guide me,

jon,

I hope it is a typo mistake,instead of 10.228.56.3 it should be 10.228.56.10

static (outside,inside) 10.228.56.10 172.16.10.1 netmask 255.255.255.255. means -

1) a packet coming from the inside with a destination of 10.228.56.3 will be translated to 172.16.10.1

2) a packet coming from the outside with a source IP of 172.16.10.1 will be translated to 10.228.56.3

Re: Outside Static Nat

vipinrajrc — Sat, 29 Oct 2011 08:40:24 GMT

Hi jack,

If you want to create a static NAT from internal to internet you should use static(inside,outside).

Here also you can use the same.

Here in both scenario internet facing device is ASA/PIX. so you can use static(inside,outside).

In first scenaio you need to create route in ASA to reach the PC(1.1.1.0) as route inside............ command

then you can create static NAT in the ASA using static(inside,outside) command.

HTH

Re: Outside Static Nat

jack samuel — Sat, 29 Oct 2011 08:52:56 GMT

Hello Dear,

I know that i can reach through static (inside,outside) but i want to use static ( outside,inside) . On which scenario outside inside is possible, if PC-B want to reach PC-A

Just wanted to be more clear for static (oustside,inside). JON explained me very well but posting this scenario i want to get answers that are matching to my thoughts or not.

Please specify the static commands with proper PC ip addresses if applicable on the secnarios.

Thanks.

Outside Static Nat

Jon Marshall — Sat, 29 Oct 2011 13:41:28 GMT

Yes, it's a typo, it should be 10.228.56.10.

Sorry for any confusion.

Jon

Re: Outside Static Nat

Jon Marshall — Sat, 29 Oct 2011 14:02:12 GMT

edited for spacing

Re: Outside Static Nat

Jon Marshall — Sat, 29 Oct 2011 14:06:03 GMT

Jack

I know that i can reach through static (inside,outside) but i want to use static ( outside,inside) . On which scenario outside inside is possible, if PC-B want to reach PC-A

You use the static that is applicable. If you want PCB on the outside to be able to access PCA on the inside then you use a static (inside,outside) command. If you want to use a static (outside,inside) then you are not using the right command.

And they do different things. I gave you an example of when the (outside,inside) would be used but that doesn't really apply to your scenario. Your original question asked when it would be applicable to use a static (outside,inside) and in the scenario from your .jpg you wouldn't use it.

A scenario where you would use a static (outside,inside) would be -

PCA = 10.10.10.1

PCB = 172.16.10.1

you want PCA to be able to connect to PCB but using the IP address 10.10.10.10

static (outside,inside) 10.10.10.10 172.16.10.1 netmask 255.255.255.255

Jon

Re: Outside Static Nat

jack samuel — Sat, 29 Oct 2011 20:36:02 GMT

Jon,

U are the expert i have seen many replied post of yours,My concept is still not clear,pls do not leave the post in between and be patients with me.

what is the difference in my previous mail Diagram -2 and the example i gave for vlan 2 and vlan 3?????? yourself and mike told me that what i m thinking is correct for vlan translation that same concept i m applying on Diagram -2 of previous mail then why i m wrong.i m thinking vlan 3 as outside and vlan 2 as inside. Is it my previous mail Diagram-2 applicable for static (outside,inside).

In ur previous mail u gave me the below example

PCA = 10.10.10.1

PCB = 172.16.10.1

you want PCA to be able to connect to PCB but using the IP address 10.10.10.10

static (outside,inside) 10.10.10.10 172.16.10.1 netmask 255.255.255.255

I hope the diagram assumptions are same as below, if not please correct ,and explain me the traffic flow.and how the translation will happen.

PC-A IP Address: 10.10.10.1

Inside Virtual IP Address:10.10.10.10

outside PC-B real IP Address: 172.16.10.1

PCA connected to internal network and not directly to ASA

PCA---Core Sw----Inside (PIX) outside-------PC-B

I appreciate you for replying my mails and trying to make me understand.

Thanks