topic Re: static NAT query in Network Security

static NAT query

mikedelafield — Mon, 11 Mar 2019 12:30:20 GMT

i have a query about the static NAT command.

if the command static (outside,inside) is entered i believe this is a reverse of the static (inside, outside); in other words the source is changed to whatever is specified in the command.

on this basis the following commands would be incorrect for port forwarding;

static (inside,outside) 209.165.202.135 10.100.1.2 mask 255.255.255.255

static (outside,inside) 10.100.1.2 209.165.202.135 mask 255.255.255.255

i assume the above would cause an IP conflict as 10.100.1.2 would be both a host on the internal network and a NAT IP address present on the firewall.

this brings me to my question.... how can you NAT your outbound email out on one address; ie mail server internal address is 10.101.1.1 and should be NAT'ed out to 213.44.32.161, but have any inbound email to 213.44.32.161 forwarding to a different email server on 10.101.1.2?

i am not sure how to do this using static NAT commands on Cisco as it seems the static(inside,outside) command creates a one 2 one mapping only?

please help

Re: static NAT query

sundar.palaniappan — Sun, 13 Apr 2008 00:05:27 GMT

Mike,

I am afraid you can't setup NAT to translate two inside hosts to use the same global address for the same ports. I assume both inside hosts use SMTP, one inbound and one outbound.

HTH

Sundar

Re: static NAT query

pengfang — Sun, 13 Apr 2008 20:20:46 GMT

Hi Mike,

static (outside,inside) is not a simply reverse of the static (inside,outside). One of the most popular usage is to hide a internal private IP with a public IP from Internet, which is like your first command "static(inside,outside) 209.165.202.135 10.100.1.2 mask 255.255.255.255"

Your second command is used in such a rare scenario:

You want to hide an destination IP 209.165.202.135 from inside users by giving them the IP 10.100.1.2.When traffic leaving outside interface, destination IP will be translated from 10.100.1.2 to 209.165.202.135.

To answer your second question, it can be achieved by policy nat/pat. There could be multiple combinations, I give you 2 examples.The codes not been verified, please test it if you plan to put it in production.

1. static PAT + policy PAT

access-list smtp_outbound permit tcp host 10.101.1.1 any eq smtp

nat (inside) 2 access-list smtp_outbound

global (outside) 2 213.44.32.161

static (inside,outside) tcp 213.44.32.161 smtp 10.101.1.2 smtp netmask 255.255.255.255

2. policy static PAT

access-list smtp_outbound permit tcp host 10.101.1.1 any eq smtp

access-list smtp_inbound permit tcp host 10.101.1.2 eq smtp any

static (inside,outside) 213.44.32.161 access-list smtp_outbound

staitc (inside,outside) 213.44.32.161 access-list smtp_inbound

Re: static NAT query

mikedelafield — Mon, 14 Apr 2008 07:14:49 GMT

thanks thats excellent.

i was certain this was achievable our my old Checkpoint box. By translating the destination...

Ah well

Re: static NAT query

mikedelafield — Mon, 14 Apr 2008 10:44:57 GMT

i have just checked and currently on our firewall (which i did not configure) we have the following 2 sets of static NAT statements

static (inside,outside) 27.18.11.139 10.1.1.1 netmask 255.255.255.255

static (outside,inside) 10.1.1.1 27.18.11.139 netmask 255.255.255.255

this seems incorrect to me as 10.1.1.1 is an internal host which is NAT'ed outbound to 27.18.11.139.

yet the static (outside,inside) command is also hiding 27.18.11.139 to the internal network as 10.1.1.1 in the NAT translation the other way.

surely this is incorrect and cannot work?

Re: static NAT query

pengfang — Mon, 14 Apr 2008 15:28:47 GMT

Hi , I believe it was wrong for the second "static", because it doesn't make sense when it come together with the first "static".

Followed is a summary of my understanding for natting behavior of "static":

static (real_ifc,mapped_ifc) mapped_ip real_ip

Static NAT is a "bi-directional" NAT, which means traffic can be initiated from both sides of firewall with different security levels when NAT occurs.

1. Traffic ingress interface is "real_ifc", egress interface is "mapped_ifc"

Traffic entering "real_ifc" and leaving "mapped_ifc", source IP with "real_ip" will be translated to "mapped_ip"(nat-src); the returned traffic entering "mapped_ifc" and leaving "real_ifc",destination Ip with "mapped_ip" will be translated to "real_ip" (nat-dst).

2. Traffic ingress interface is "mapped_ifc",egress interface is "real_ifc"

Traffic entering "mapped_ifc" and leaving "real_ifc",destination IP with "mapped_ip" will be translated to "real_ip" (nat-dst); the returned traffic entering "real_ifc" and leaving "mapped_ifc",source IP with "real_ip" will be translated to "mapped_ip" (nat-src).

HTH