03-15-2018 04:18 PM - edited 02-21-2020 07:31 AM
hi all:
I need your help understanding how this would be done. I got the outside to inside working but require some fine tunning but more understanding around it. If some can put the commands for me that would be awsome
I have four interfaces
1 - Outside - security level 0 - 200.1.1.1/24 Connected to internet and public networks
2 - Inside - security level 100 - 192.168.1.100/24
3 - WEBServers - security level 50 -192.168.2.100/24
4 - APPS - security level 40 - 192.168.3.100/24
1) I would like to do the the following from source from Outside to Inside
Source: 131.1.1.1
Destination: 200.1.1.25
Source NAT: Orginal
Destination NAT: 10.42.1.1 (inside destination)
Service: 22
------------
object network ip_200.1.1.25
host 200.1.1.25
object network inside_server host 10.42.1.1 nat (Inside,Outside) static ip_200.1.1.25 access-list EXTERNAL extended permit tcp any object ip_200.1.1.25 eq 22
I did this and it works but i would like Natting to be specfic to source instead if wide open to any
2) I would like to do the the following from APPS to Inside
Source: 192.168.3.100
Destination: 10.1.1.23 (via inside)
Source NAT: 192.168.1.23
Destination NAT: Original
Service: any
3) From APP and Webserver to Outside
Source: 192.168.3.11 and 192.168.2.11
Destination: 8.8.8.8
Source NAT: 200.1.1.2
Destination NAT: Original
Service: any
Solved! Go to Solution.
03-16-2018 05:20 AM
object network remote-src_131.1.1.1
host 131.1.1.1
object network ip_200.1.1.25
host 200.1.1.25
object network server_10.42.1.1
host 10.42.1.1
nat (Inside,Outside) source static remote-src_131.1.1.1 remote-src_131.1.1.1 destination static ip_200.1.1.25 server_10.42.1.1 no-proxy-lookup
On this config, the nat is wrong.
You can test:
nat (Inside,Outside) source static server_10.42.1.1 ip_200.1.1.25 destination static remote-src_131.1.1.1 remote-src_131.1.1.1
The interface position is based on real ifc vs mapped ifc. This means that your real server is inside and you want it to be natted when communicating with outside networks. Is that clear?
03-15-2018 06:21 PM
Hi
Here are my answers:
1. I believe you want to nat only for port 22.
The config will be:
object network src_host
host 131.1.1.1
object network inside_server
host 10.42.1.1
nat (Inside,Outside) static ip_200.1.1.25 service tcp 22 22
access-list EXTERNAL extended permit tcp object src_host object ip_200.1.1.25 eq 22
2.
object network src
host 192.168.3.100
object network dest
host 10.1.1.23
object network natsrc
host 192.168.1.23
nat (APPS,inside) source static src natsrc destination static dest dest no-proxy-lookup
3. Same as 2
object network srcapp
host 192.168.3.11
object network srcwebserver
host 192.168.2.11
object network srcnat
host 200.1.1.2
object network dest
host 200.1.1.2
nat (APPS,outside) source static srcapp srcnat destination static dest dest no-proxy-lookup
nat (WEBSERVER,outside) source static srcwebserver srcnat destination static dest dest no-proxy-lookup
03-15-2018 08:37 PM
Thank you Thank you Francesco:
Your input did help me understand the nat.
I have two further questions please.
1) Would this work as well for manual nat instead of auto nat for the destination nat ( same interface and security settings as originally posted above)
Requirement:
Source: 131.1.1.1
Destination: 200.1.1.25
Source NAT: Orginal
Destination NAT: 10.42.1.1
Service: 22
Solution:
object network remote-src_131.1.1.1
host 131.1.1.1
object network ip_200.1.1.25
host 200.1.1.25
object network server_10.42.1.1
host 10.42.1.1
nat (Inside,Outside) source static remote-src_131.1.1.1 remote-src_131.1.1.1 destination static ip_200.1.1.25 server_10.42.1.1 no-proxy-lookup
========================
2) How are the order of interfaces is determined?
For example:
(inside, outside)
Is it always, from high security to low security? I mean when can it be (outside,inside)?
thank you again
03-16-2018 05:20 AM
object network remote-src_131.1.1.1
host 131.1.1.1
object network ip_200.1.1.25
host 200.1.1.25
object network server_10.42.1.1
host 10.42.1.1
nat (Inside,Outside) source static remote-src_131.1.1.1 remote-src_131.1.1.1 destination static ip_200.1.1.25 server_10.42.1.1 no-proxy-lookup
On this config, the nat is wrong.
You can test:
nat (Inside,Outside) source static server_10.42.1.1 ip_200.1.1.25 destination static remote-src_131.1.1.1 remote-src_131.1.1.1
The interface position is based on real ifc vs mapped ifc. This means that your real server is inside and you want it to be natted when communicating with outside networks. Is that clear?
03-16-2018 08:28 AM
Hi,
Just a quick note regarding your config, first example.
You said that the first (static) NAT is working, but the ACL contains the NAT IP, not the real one (EXTERN ACL).
Nowadays, you have to use the real IP when doing ACLs, MPF, WCCP, etc.
Thanks,
Octavian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide