topic Re: NAT rule in Network Security

NAT rule

vishnuvichu36601 — Fri, 21 Feb 2020 15:41:43 GMT

Our issue is that, outside 3 public IPs need to communicate with one of our internal IP addresses. So it is actually a group of host public IP address. Which type of NAT we need to write?

Re: NAT rule

Florin Barhala — Thu, 03 May 2018 09:03:56 GMT

A concise question always receives a straight answer: when you say outside public IP you mean an external host that reaches your firewall through outside interface?
Next: on what port from the internal host you need access?

Re: NAT rule

Karsten Iwen — Thu, 03 May 2018 10:38:26 GMT

When an outside system needs to reach an internal system, then you always need a static NAT for the internal system:

object network INTERNAL-SERVER
 host 10.10.10.10
 nat (inside,outside) static 192.0.2.1

Then you need access-control to allow traffic to that host:

object-group network ALLOWED-HOSTS
 network-object host 1.2.3.4
 network-object host 2.3.4.5
 network-object host 3.4.5.6
!
access-list OUTSIDE-ACCESS-IN permit tcp object-group ALLOWED-HOSTS object INTERNAL-SERVER eq 443
!
access-group OUTSIDE-ACCESS-IN in interface outside

Just adjust the ACL-name if there is already an ACL in place.

Re: NAT rule

vishnuvichu36601 — Thu, 03 May 2018 10:50:08 GMT

nat (outside,inside) source static group-of-public-iplist destination static Public_NAT router-ip(internal) service ssh ssh no-proxy-arp
nat (inside,outside) source dynamic internal network Public_Nat dns
nat (outside,inside) source static group-of-public-iplist destination static Public_Nat group-of-public-iplist service any no-proxy-arp

this is the configuration we applied.But no hits comming with this configuration.

Re: NAT rule

Dennis Mink — Thu, 03 May 2018 12:03:52 GMT

have you got an ACL to permit the destination port on the outside interface. remember it needs to be permitted, after the unNAT..also have you got routes from your fw to the internal destination? runpacket tracer to verify your logic