Solved: Re: A basic NAT question

bindong.shi · ‎10-11-2012

I would like to ask a basic NAT question, please find the attached diagram, the firewall has 2 interfaces: Inside and outside. we have a web server hosted inside the firewall offerring web services to Internet users.

The server private IP address is 192.168.1.10 and a Public IP: 2.2.2.2;

The firewall only allow certain IP range from Internet (3.3.3.0/24)to access the server via TCP port 80;

Firewall need to do NAT to translate the 2.2.2.2 to 192.168.1.10

Please find my configuration:

object network InsidePrivateIP

host 192.168.1.10

object network InsidePublicIP

host 2.2.2.2

object network OutsideNetwork

subnet 3.3.3.0 255.255.255.0

nat (outside,inside) source static OutsideNetwork OutsideNetwork destination static InsidePublicIP InsidePrivateIP

I would like to know Whether my (outside, inside) sequence is correct or not, because the server is accepting the incoming HTTP request.

And can I use a simpler way to implement it:

object network InsidePublicIP

host 2.2.2.2

nat (outside,inside) static 192.168.1.10

and create the ACL to allow the traffic:

source IP: 3.3.3.0/24

source port: any

destination IP: 2.2.2.2

destination port:80

thanks in advance, I will rate your reply.

Jennifer Halim · ‎10-11-2012

Your simpler way is the correct way but it should have been as follows:

object network serverIP

host 192.168.1.10

nat (inside,outside) static 2.2.2.2

access-list outside-acl permit tcp 3.3.3.0 255.255.255.0 object serverIP eq 80

access-group outside-acl in interface outside

Message was edited by: Jennifer Halim

View solution in original post

Jennifer Halim · ‎10-11-2012

When you configure NAT translation, normally you look at it from the inside host perspective as that is the source to be NATed and inside has higher security level than outside.

Static NAT statement is bi-directional, so when you configure it with "nat (inside,outside)", it works for the other direction too.

View solution in original post

Jennifer Halim · ‎10-11-2012

Your simpler way is the correct way but it should have been as follows:

object network serverIP

host 192.168.1.10

nat (inside,outside) static 2.2.2.2

access-list outside-acl permit tcp 3.3.3.0 255.255.255.0 object serverIP eq 80

access-group outside-acl in interface outside

Message was edited by: Jennifer Halim

bindong.shi · ‎10-11-2012

thanks for your prompt reply.

Can you please let me know where is the problem for first configuration?

Jennifer Halim · ‎10-11-2012

With the first configuration, you still need to configure the access-list as well, as NAT is not enough to restrict traffic from specific subnet.

Also, the format should have been as follows:

nat (inside,outside) source static InsidePrivateIP InsidePublicIP destination static OutsideNetwork OutsideNetwork

Why make it so complicated when you can configure it the simpler way, right?

bindong.shi · ‎10-11-2012

yes, you are right, the simpler, the better.

andshouldn't be "nat (outside,inside)"? since the traffic is incoming traffic, that is also the part i am confused:

accorrding cisco document, it is "nat (inside,outside)", but when i configure the FW using GUI, I select the source (outside) interface and destinatio interface (inside), the command line is "nat (outside,inside)".

thanks.

Jennifer Halim · ‎10-11-2012

When you configure NAT translation, normally you look at it from the inside host perspective as that is the source to be NATed and inside has higher security level than outside.

Static NAT statement is bi-directional, so when you configure it with "nat (inside,outside)", it works for the other direction too.