Outside Static Nat

jack samuel · ‎10-25-2011

Hi

i have thought many times about outside Nat but i m confused when will be such situation that we will require outside NAT.Can anybody give me best example of real Network, and explain me the traffic flow i have read in book but still it is not clear.
In FWSM interface with higher security level when access to lower security level we only need access-list, NAT is not reqiured, Is it i m on the correct path???? or this is misunderstood.

Thanks

Jon Marshall · ‎10-25-2011

Jack

An example of where i have used static NAT. We had a lab setup conected to our prod network with a firewall ie.

prod network -> (inside interface) pix (outside interface) -> lab

so the pix was there to protect the prod network from the lab. In the lab we had 172.16.x.x addressing but our prod network used 10.228.x.x addressing and we didn't want to add 172.16.x.x addresses to our routing tables in prod. So we did this on the pix -

static (outside,inside) 10.228.56.10 172.16.10.1 netmask 255.255.255.255

then we could connect to 10.228.56.10 from prod and it was translated to 172.16.10.1 in the lab.

Basically what you are doing this command is you are translating the destination IP as you go from the inside to outside interfaces of the pix. Compare this with a normal static (inside,outside).. command ie.

static (inside,outside) 10.228.56.10 172.16.10.1 netmask 255.255.255.255 means -

1) a packet coming from the inside of the pix with a source IP of 172.16.10.1 will be translated to 10.228.56.10

2) a packet coming from the outside of the pix with a destination IP of 10.228.56.10 will be translated to 172.16.10.1

static (outside,inside) 10.228.56.10 172.16.10.1 netmask 255.255.255.255. means -

1) a packet coming from the inside with a destination of 10.228.56.10 will be translated to 172.16.10.1

2) a packet coming from the outside with a source IP of 172.16.10.1 will be translated to 10.228.56.10

With the FWSM you do indeed need an acl from higher to lower which is different from the standalone pix/ASA devices.

Whether or not you need NAT depends. If you have nat-control turned off then you do not need NAT. If it is turned on then if i remember correctly you do need it.

Jon

jack samuel · ‎10-27-2011

Thanks Jon

U have explained very well .

For FWSM i have 50 interface vlan's so to managed them by Nat it is very difficult so we have disable nat-control but on 2 interface i m using NAT

int vlan 2

ip add 10.10.2.254 255.255.255.0

nameif vlan2

security-level 90

int vlan 3

ip add 10.10.3.254 255.255.255.0

nameif vlan3

security-level 25

nat (vlan3,vlan2) 10.10.2.2 10.10.3.2 netmask 255.255.255.255

Can you explain me what's the above command doing, please have a look on security-level.

Thanks

Jon Marshall · ‎10-27-2011

nat (vlan3,vlan2) 10.10.2.2 10.10.3.2 netmask 255.255.255.255

Can you explain me what's the above command doing, please have a look on security-level

Not entirely sure. Is that the whole NAT config ie. shouldn;t that be -

static (vlan3, vlan2) 10.10.2.2 10.10.3.2 netmask 255.255.255.255

or if it is nat and not static at the beginning is there any other config to go with it ?

Jon

jack samuel · ‎10-27-2011

Hello dear,

i m absolutely sorry, I missed static word

it is

static (vlan3, vlan2) 10.10.2.2 10.10.3.2 netmask 255.255.255.255

pls have a look at security level for both the vlans in the above mail.

In the Below scenario what will be static Nat statements if i want to use a lower-security level first such as ( outside,inside) and PCB wants to access PCA. I know that by static (inside,outside) will work becz traffic is bidirectional but purposely i want to use (outside inside)

PC-A---------inside----------outside-----------------------PCB

Jon Marshall · ‎10-27-2011

Well it doesn't make a lot of sense.

Basically, as far as i can tell, it says -

from vlan 3 if you connect to the destination IP 10.10.2.2 then translate to 10.10.3.2

Jon

jack samuel · ‎10-27-2011

Hello jon,

In the Below scenario what will be static Nat statements if i want to use a lower-security level first such as ( outside,inside) and PCB wants to access PCA. I know that by static (inside,outside) will work becz traffic is bidirectional but purposely i want to use (outside inside)

PC-A ip is 172.16.10.1

PC-B ip is 172.16.5.1

PC-A---------inside----------outside-----------------------PCB

172.16.10.1

Jon Marshall · ‎10-27-2011

You don't use it like this.

If you want to present a device on a higher level interface to a lower level interface you use static (inside,outside). So that's what you would use in the above case.

you would simply do -

static (inside,outside) x.x.x.x 172.16.10.1 netmask 255.255.255.255

where x.x.x.x is the address you want to present to PCB.

You can't just simply decide to use a static (outside,inside) ... statement instead as it is used for a different purpose.

Jon

jack samuel · ‎10-27-2011

Well Dear

Please be pateints with me and i appreciate ur help. i will tell u the fact.

Below configs are on the FWSM, the real ip is 10.10.3.2 and the virtual IP is 10.10.2.2,. what i m understanding from the below static command is that the real IP 10.10.3.2 (vlan 3) when comes in FWSM to access vlan 2 it will be translated to 10.10.2.2 and the users in vlan 2 will see the packet is from 10.10.2.2,

Is it i m on the correct path?????????????????????????????????????????????

int vlan 2

ip add 10.10.2.254 255.255.255.0

nameif vlan2

security-level 90

int vlan 3

ip add 10.10.3.254 255.255.255.0

nameif vlan3

security-level 25

static (vlan3,vlan2) 10.10.2.2 10.10.3.2 netmask 255.255.255.255

Maykol Rojas · ‎10-27-2011

Correct,

I always teach this kind of the statics the same way, what you need to see is the following:

(Real,mapped) Mapped Real

The concept is exactly the same, what changes is the name only, (Outside Nat, Destination Nat etc etc) They are configured the same.

Mike

Jon Marshall · ‎10-28-2011

Jack

static (outside,inside) 10.228.56.10 172.16.10.1 netmask 255.255.255.255. means -

1) a packet coming from the inside with a destination of 10.228.56.3 will be translated to 172.16.10.1

2) a packet coming from the outside with a source IP of 172.16.10.1 will be translated to 10.228.56.3

seems i can't even read my own posts

static (vlan3,vlan2) 10.10.2.2 10.10.3.2 netmask 255.255.255.255

ie. a packet coming from vlan3 with a source IP of 10.10.3.2 will be translated to 10.10.2.2 on vlan 2 just as you say.

Sincere apologies for the confusion and many thanks to Mike for clarifying things.

Jon

jack samuel · ‎10-29-2011

Hello Dears,

I want to use static (outside,inside) for the 2 scenarios of the diagram.Can you tell me what will be the static command and is it static (outside,inside) command will be applicable on both the secnarios.

Please guide me,

jon,

I hope it is a typo mistake,instead of 10.228.56.3 it should be 10.228.56.10

static (outside,inside) 10.228.56.10 172.16.10.1 netmask 255.255.255.255. means -

1) a packet coming from the inside with a destination of 10.228.56.3 will be translated to 172.16.10.1

2) a packet coming from the outside with a source IP of 172.16.10.1 will be translated to 10.228.56.3

vipinrajrc · ‎10-29-2011

Hi jack,

If you want to create a static NAT from internal to internet you should use static(inside,outside).

Here also you can use the same.

Here in both scenario internet facing device is ASA/PIX. so you can use static(inside,outside).

In first scenaio you need to create route in ASA to reach the PC(1.1.1.0) as route inside............ command

then you can create static NAT in the ASA using static(inside,outside) command.

HTH

Thanks and Regards, Vipin

jack samuel · ‎10-29-2011

Hello Dear,

I know that i can reach through static (inside,outside) but i want to use static ( outside,inside) . On which scenario outside inside is possible, if PC-B want to reach PC-A

Just wanted to be more clear for static (oustside,inside). JON explained me very well but posting this scenario i want to get answers that are matching to my thoughts or not.

Please specify the static commands with proper PC ip addresses if applicable on the secnarios.

Thanks.

Jon Marshall · ‎10-29-2011

edited for spacing