cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


174
Views
0
Helpful
1
Replies
Beginner

Help me understand this simple NAT thing

I try to understand some simple NAT things on Cisco ASA.
I have multiple machines PAT'ed (Hide) to the Outside interface to provide Internet connectivity.

On of those machines also has a application running on tcp/7550 which i want to access over the Internet.

 

Question #1:

Now, when i connect to the Outside IP of the ASA on tcp/7550 i get a connection. Can someone explain how the ASA knows which machine he needs to forward it to? The only thing i have done differently for the NAT rule on this machine is i used a static NAT in stead of PAT.

Is it because the Static NAT entry is used earlier in the order of NAT rules? I just want to understand how the ASA knows to what IP he forwards tcp/7550 when i haven't done anything specific with NAT for tcp services.

 

Question #2

What is the best practice in this case when it comes to NAT/PAT. Let's say i have 8 machines who just need regular Internet Access, so i PAT them to the Outside interface. But then i have, for example, tcp/7550 i want to "forward" to Machine #9 and tcp/8550 i want to forward to Machine #10. 

 

Question #3:

What is the way to go when you want to provide one machine Internet access, but ALSO want to provide outside to inside connectivity for a specific port?

1 REPLY 1
VIP Collaborator

Re: Help me understand this simple NAT thing

cisco unified nat is bit complex when you new in Natting. took me a while to understand. so you are not the first me. :)

 

Question #1:

Now, when i connect to the Outside IP of the ASA on tcp/7550 i get a connection. Can someone explain how the ASA knows which machine he needs to forward it to? The only thing i have done differently for the NAT rule on this machine is i used a static NAT in stead of PAT.

Is it because the Static NAT entry is used earlier in the order of NAT rules? I just want to understand how the ASA knows to what IP he forwards tcp/7550 when i haven't done anything specific with NAT for tcp services.

ANSWER:  ASA nat section has three rules. Section 1, Section 2 and Section 3. in all these section static nat rules always come first than PAT rules come. now let say you have a rule like this.

!

Object network ALPHA

  host 192.168.100.1

  nat (Inside,Outside) static 1.2.3.4

!

now in the above rules you saying if packet coming for inside and going to outside translate it to 1.2.3.4 same if you coming for outside and going to inside than translate. its also called bi-directional connection.

you need to understand the flow of the packet too. here 

 

 

 

Question 2 What is the best practice in this case when it comes to NAT/PAT. Let's say i have 8 machines who just need regular Internet Access, so i PAT them to the Outside interface. But then i have, for example, tcp/7550 i want to "forward" to Machine #9 and tcp/8550 i want to forward to Machine #10.

 

Answer. It depends in the network requirment. each network have it own specific requirement. for this above scenario you can do nat in section1 and also in section 2. as said it really depends on the network environment.

!

object network BETA

 host 192.168.100.2

 nat (in,out) static 1.2.3.4 service tcp www www

!

object network GEMMA

 host 192.168.100.3

 nat (in,out) static 1.2.3.4 service tcp ssh ssh

!

 

 

Question #3:

What is the way to go when you want to provide one machine Internet access, but ALSO want to provide outside to inside connectivity for a specific port?

 

object network OMEGA

   host 192.168.100.10

    nat (inside,outside) dynamic interface

!

object network DELTA

   host 192.168.100.10

   nat (inside,outside) static 1.2.3.4 service tcp www www

!

read this document it will help you alot to understand your concept and confusion here 

 

please do not forget to rate.
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here