https://community.cisco.com/t5/network-security/understanding-difference-between-these-two-nat-statements/m-p/3999149#M935328 <P>Hi Marvin,</P><P>Thanks for confirming.</P> Sun, 15 Dec 2019 23:09:26 GMT Madura Malwatte 2019-12-15T23:09:26Z https://community.cisco.com/t5/network-security/understanding-difference-between-these-two-nat-statements/m-p/3956877#M935324 <P>I am just trying to understand the difference between the below two&nbsp; NAT statements. As far as I can tell both seem identical?</P><P>Number 1. allows any outside ip to hit&nbsp; the public ip of FTD 104.4.4.4 on port 80 which gets translated to destination of web_server port 80.</P><P>Number 2. translates the web_server port 80 to public 104.4.4.4 port 80. so anyone from outside can hit 104.4.4.4 and access the web-server.&nbsp;&nbsp;</P><P>What's the difference between these two, am I missing something?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2019-11-12 at 2.02.28 am.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/49193iE3405B46A348288E/image-size/large?v=v2&amp;px=999" role="button" title="Screen Shot 2019-11-12 at 2.02.28 am.jpg" alt="Screen Shot 2019-11-12 at 2.02.28 am.jpg" /></span></P> Fri, 21 Feb 2020 17:41:21 GMT https://community.cisco.com/t5/network-security/understanding-difference-between-these-two-nat-statements/m-p/3956877#M935324 Madura Malwatte 2020-02-21T17:41:21Z https://community.cisco.com/t5/network-security/understanding-difference-between-these-two-nat-statements/m-p/3956956#M935325 <P>Neither one is the recommended configuration.</P> <P>In the first case the logic is "outside,inside". You have both an original service and http application specified. In the second case, the logic is "inside,outside" but it specifies the service as only tcp/80. So if the web server as trying to reach the Internet for any other services it would not hit the NAT rule and would instead use whatever global NAT (if any) you have configured.</P> <P>Recommended would be to have an "inside,outside" NAT rule (ideally using a DMZ and not the whole inside network to limit exposure). Combine that with an Access Control Policy entry allowing the incoming traffic via http application only.</P> <P>&nbsp;</P> Tue, 12 Nov 2019 03:07:21 GMT https://community.cisco.com/t5/network-security/understanding-difference-between-these-two-nat-statements/m-p/3956956#M935325 Marvin Rhoads 2019-11-12T03:07:21Z https://community.cisco.com/t5/network-security/understanding-difference-between-these-two-nat-statements/m-p/3997497#M935326 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/326046">@Marvin Rhoads</a>&nbsp;, thanks for the response. This was just an example and understood about the best practice to&nbsp; NAT from the dmz.</P><P>However in terms of the two NAT statements, is there a recommended way to configure it - "outside,dmz" or "dmz,outside" if we are trying to reach a web service in the dmz from public?</P><P>Refer to the image, I see no difference in the what these NAT statements will do, but which way is the recommended way to configure? I will have ACP rules to only permit public access to dmz server on http.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nat test.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/63256i6A2AFEEBADB644AA/image-size/large?v=v2&amp;px=999" role="button" title="nat test.jpg" alt="nat test.jpg" /></span></P> Wed, 11 Dec 2019 22:28:01 GMT https://community.cisco.com/t5/network-security/understanding-difference-between-these-two-nat-statements/m-p/3997497#M935326 Madura Malwatte 2019-12-11T22:28:01Z https://community.cisco.com/t5/network-security/understanding-difference-between-these-two-nat-statements/m-p/3998265#M935327 <P>"dmz,outside" would be the recommended method and they way I have used and seen used on 99% of the hundreds of ASA and FTD deployments I've done.</P> Fri, 13 Dec 2019 02:46:01 GMT https://community.cisco.com/t5/network-security/understanding-difference-between-these-two-nat-statements/m-p/3998265#M935327 Marvin Rhoads 2019-12-13T02:46:01Z https://community.cisco.com/t5/network-security/understanding-difference-between-these-two-nat-statements/m-p/3999149#M935328 <P>Hi Marvin,</P><P>Thanks for confirming.</P> Sun, 15 Dec 2019 23:09:26 GMT https://community.cisco.com/t5/network-security/understanding-difference-between-these-two-nat-statements/m-p/3999149#M935328 Madura Malwatte 2019-12-15T23:09:26Z