Re: NAT rule

vishnuvichu36601 · ‎05-02-2018

Our issue is that, outside 3 public IPs need to communicate with one of our internal IP addresses. So it is actually a group of host public IP address. Which type of NAT we need to write?

Florin Barhala · ‎05-03-2018

A concise question always receives a straight answer: when you say outside public IP you mean an external host that reaches your firewall through outside interface?
Next: on what port from the internal host you need access?

Karsten Iwen · ‎05-03-2018

When an outside system needs to reach an internal system, then you always need a static NAT for the internal system:

object network INTERNAL-SERVER
 host 10.10.10.10
 nat (inside,outside) static 192.0.2.1

Then you need access-control to allow traffic to that host:

object-group network ALLOWED-HOSTS
 network-object host 1.2.3.4
 network-object host 2.3.4.5
 network-object host 3.4.5.6
!
access-list OUTSIDE-ACCESS-IN permit tcp object-group ALLOWED-HOSTS object INTERNAL-SERVER eq 443
!
access-group OUTSIDE-ACCESS-IN in interface outside

Just adjust the ACL-name if there is already an ACL in place.

vishnuvichu36601 · ‎05-03-2018

nat (outside,inside) source static group-of-public-iplist destination static Public_NAT router-ip(internal) service ssh ssh no-proxy-arp
nat (inside,outside) source dynamic internal network Public_Nat dns
nat (outside,inside) source static group-of-public-iplist destination static Public_Nat group-of-public-iplist service any no-proxy-arp

this is the configuration we applied.But no hits comming with this configuration.

Dennis Mink · ‎05-03-2018

have you got an ACL to permit the destination port on the outside interface. remember it needs to be permitted, after the unNAT..also have you got routes from your fw to the internal destination? runpacket tracer to verify your logic

Please remember to rate useful posts, by clicking on the stars below.