03-18-2017 09:18 AM - edited 03-12-2019 02:05 AM
Given these addresses and ACLs:
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.254 255.255.255.0
!
object network WebServer-private
host 10.1.1.80
object network WebServer-public
host 192.168.1.80
!
object network InsideNet
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
!
access-list outside_ingress extended permit tcp any object WebServer eq www
access-group outside_ingress in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
!
Then what is the functional difference between:
!
object network WebServer-private
host 10.1.1.80
nat (inside,outside) static WebServer-public
!
and
object network WebServer-private
host 10.1.1.80
nat (inside,outside) static WebServer-public service tcp www www
!
Thanks
Solved! Go to Solution.
03-18-2017 06:03 PM
Hello,
The first one is one-to-one NAT statement wherein you are mapping all the ports i.e. 1-65535.
Second is specific mapping port 80(www).
I would create static NAT(option 1 ) if I wanted to use the ip address 192.168.1.80 just for the server 10.1.1.80 and nothing else.
Option 2 ensures that other ports (apart from 80) are free and can be used elsewhere. For example, use TCP 25 for smtp server etc.
The use case scenario of option 2 is when you don't want to purchase too many public ip addresses and create static PAT for each of your server.
HTH
AJ
03-18-2017 06:03 PM
Hello,
The first one is one-to-one NAT statement wherein you are mapping all the ports i.e. 1-65535.
Second is specific mapping port 80(www).
I would create static NAT(option 1 ) if I wanted to use the ip address 192.168.1.80 just for the server 10.1.1.80 and nothing else.
Option 2 ensures that other ports (apart from 80) are free and can be used elsewhere. For example, use TCP 25 for smtp server etc.
The use case scenario of option 2 is when you don't want to purchase too many public ip addresses and create static PAT for each of your server.
HTH
AJ
03-19-2017 06:57 AM
Ajay,
Your answer was concise and to the point and also noted that option 2 would better fit the needs of smaller businesses which may not want, nor need to purchase large blocks of routable IPs. I'm not sure I've ever seen this stated as such before.
Thx
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: