05-30-2011 10:59 PM - edited 03-11-2019 01:40 PM
Hi,
More info....
I have used below config in my firewall to perform DNAT and SNAT....I wanted to know brief on it...How exactly it works...Whether my understanding is correct or not .... ?
For DNAT (Destination NAT) :
1. I wanted to know whether below configuration will perform destination nat when packet comes from outside to inside..Means source any and destination 217.127.54.8 then it convert the destination to 217.127.52.100 or not...?
nat (outside) 1 access-list inbound-nat-52-100
global (inside) 1 217.127.52.100
access-list inbound-nat-52-100 extended permit ip any host 217.127.54.8
For SNAT ( Source NAT) :
2. I wanted to know whether below config will convert source 217.127.52.100 to 217.127.54.8 when the packet is destined for destination 10.1.5.0 or 38.113.23.164 network/host....
!
static (inside,outside) 217.127.54.8 access-list outbound-nat-54-8
access-list outbound-nat-54-8 extended permit ip host 217.127.52.100 10.1.5.0 255.255.255.0
access-list outbound-nat-54-8 extended permit ip host 217.127.52.100 host 38.113.23.164
!
Solved! Go to Solution.
05-31-2011 10:11 AM
Prashant,
1) When using a nat/global configuration, it will only NAT the source IP address. You cannot do destination NAT with a nat/global pair. What you have configured will NAT traffic from any source address to 217.127.52.100 going from outside -> inside when destined to ip 217.127.54.8.
*Note: You also need to include the "outside" keyword on your nat statement since you are going from low sec-lv to high sec-lvl interface (this is known as outside nat).
Ex:
nat (outside) 1 access-list inbound-nat-52-100 outside
2) This NAT is bi-directional, but it will perform "destination NAT" if the traffic is originated on the outside interface. What you have congifured will NAT traffic from 10.1.5.0/24 or 38.113.23.164 destined to 217.127.54.8 and change the destination IP to 217.127.52.100.
Likewise, if traffic is originated on the inside interface from 217.127.52.100, it will change the source IP to 217.127.54.8 when destined to 10.1.5.0/24 or 38.113.23.164.
I hope this helps. Maybe it would be easier to just tell us what you want to do and why so we can help.
Thanks,
Brendan
05-31-2011 10:11 AM
Prashant,
1) When using a nat/global configuration, it will only NAT the source IP address. You cannot do destination NAT with a nat/global pair. What you have configured will NAT traffic from any source address to 217.127.52.100 going from outside -> inside when destined to ip 217.127.54.8.
*Note: You also need to include the "outside" keyword on your nat statement since you are going from low sec-lv to high sec-lvl interface (this is known as outside nat).
Ex:
nat (outside) 1 access-list inbound-nat-52-100 outside
2) This NAT is bi-directional, but it will perform "destination NAT" if the traffic is originated on the outside interface. What you have congifured will NAT traffic from 10.1.5.0/24 or 38.113.23.164 destined to 217.127.54.8 and change the destination IP to 217.127.52.100.
Likewise, if traffic is originated on the inside interface from 217.127.52.100, it will change the source IP to 217.127.54.8 when destined to 10.1.5.0/24 or 38.113.23.164.
I hope this helps. Maybe it would be easier to just tell us what you want to do and why so we can help.
Thanks,
Brendan
06-09-2011 01:40 AM
Thanks for your response...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide