Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
0
Helpful
2
Replies

Below config is performing the DNAT and Source NAT or not ?

Go to solution
itprashant
Level 1
Level 1

‎05-30-2011 10:59 PM - edited ‎03-11-2019 01:40 PM

Hi,

More info....

I have used below config in my firewall to perform DNAT and SNAT....I wanted to know brief on it...How exactly it works...Whether my understanding is correct or not .... ?

For DNAT (Destination NAT) :

1. I wanted to know whether below configuration will perform destination nat when packet comes from outside to inside..Means source any and destination 217.127.54.8 then it convert the destination to 217.127.52.100 or not...?


nat (outside) 1 access-list inbound-nat-52-100

global (inside) 1 217.127.52.100


access-list inbound-nat-52-100 extended permit ip any host 217.127.54.8

For SNAT ( Source NAT) :


2. I wanted to know whether below config will convert source 217.127.52.100 to 217.127.54.8 when the packet is destined for destination 10.1.5.0 or 38.113.23.164 network/host....


!
static (inside,outside) 217.127.54.8  access-list outbound-nat-54-8
access-list outbound-nat-54-8 extended permit ip host 217.127.52.100 10.1.5.0 255.255.255.0
access-list outbound-nat-54-8 extended permit ip host 217.127.52.100 host 38.113.23.164

!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
brquinn
Level 1
Level 1

‎05-31-2011 10:11 AM

Prashant,

1) When using a nat/global configuration, it will only NAT the source IP address. You cannot do destination NAT with a nat/global pair. What you have configured will NAT traffic from any source address to 217.127.52.100 going from outside -> inside when destined to ip 217.127.54.8.

*Note: You also need to include the "outside" keyword on your nat statement since you are going from low sec-lv to high sec-lvl interface (this is known as outside nat).

Ex:

nat (outside) 1 access-list inbound-nat-52-100 outside

2) This NAT is bi-directional, but it will perform "destination NAT" if the traffic is originated on the outside interface. What you have congifured will NAT traffic from 10.1.5.0/24 or 38.113.23.164 destined to 217.127.54.8 and change the destination IP to  217.127.52.100.

Likewise, if traffic is originated on the inside interface from 217.127.52.100, it will change the source IP to 217.127.54.8 when destined to 10.1.5.0/24 or 38.113.23.164.

I hope this helps. Maybe it would be easier to just tell us what you want to do and why so we can help.

Thanks,

Brendan

View solution in original post

0 Helpful
2 Replies 2

Go to solution
brquinn
Level 1
Level 1

‎05-31-2011 10:11 AM

Prashant,

1) When using a nat/global configuration, it will only NAT the source IP address. You cannot do destination NAT with a nat/global pair. What you have configured will NAT traffic from any source address to 217.127.52.100 going from outside -> inside when destined to ip 217.127.54.8.

*Note: You also need to include the "outside" keyword on your nat statement since you are going from low sec-lv to high sec-lvl interface (this is known as outside nat).

Ex:

nat (outside) 1 access-list inbound-nat-52-100 outside

2) This NAT is bi-directional, but it will perform "destination NAT" if the traffic is originated on the outside interface. What you have congifured will NAT traffic from 10.1.5.0/24 or 38.113.23.164 destined to 217.127.54.8 and change the destination IP to  217.127.52.100.

Likewise, if traffic is originated on the inside interface from 217.127.52.100, it will change the source IP to 217.127.54.8 when destined to 10.1.5.0/24 or 38.113.23.164.

I hope this helps. Maybe it would be easier to just tell us what you want to do and why so we can help.

Thanks,

Brendan

0 Helpful

Go to solution
itprashant
Level 1
Level 1
In response to brquinn

‎06-09-2011 01:40 AM

Thanks for your response...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card