Solved: Static nat asa question - help

Andrew Vlasek · ‎09-26-2011

This is in regard to 8.2 static nat. Given an example I found in a Cisco document I have a question regarding normal static nat.

hostname(config)# static (inside,outside) 209.165.201.15 10.1.1.3 netmask 255.255.255.255

The following command maps the outside address (209.165.201.15) to an inside address (10.1.1.6):

hostname(config)# static (outside,inside) 10.1.1.3 209.165.201.15 netmask 255.255.255.255

Looking at the above is there any reason why you would have the above two entries? Isn't static nat bi-directional? I am confused on the placement of static nat sometimes. Say my internal hosts are going to my DMZ and I am basicly just saying don't nat or keep you same address when going to the DMZ. For example:

hostname(config)# static (inside,dmz) 10.1.1.3 10.1.1.3 netmask 255.255.255.255

I think the above is correct and I wouldn't also need a corresponding nat on the dmz ip to the inside correct? Doing nat command line it makes since but I get confused when doing it in the GUI.

In the example dmz lets say DMZ is level 50 inside is 100 and nat control is on of course.

Any help to clarify this in my mind would be greatly appreciated.

Thanks,

Andrew

Jon Marshall · ‎09-26-2011

Andrew

NAT is bidrectional so

static (inside,outside) 209.169.201.15 10.1.1.3 netmask 255.255.255.255 means -

1) packets with a source IP of 10.1.1.3 arriving on the inside interface and being routed via the outside interface will have the source IP changed to 209.165.201.15

and

2) packets with a destination address of 209.165.201.15 arriving on the outside interface and being routed via the inside interface will have the destination IP changed to 10;1.1.3

static (outside,inside) 10.1.1.3 209.165.201.15 netmask 255.255.255.255 means

1) packets arriving on the inside interface with a destination IP of 10.1.1.3 and being routed via the outside interface will have the destination IP changed to 209.165.201.15

and

2) packets arriving on the outside interface with a source IP of 209.165.201.15 and being routed via the inside interface will have the source IP changed to 10.1.1.3

Of the two statements by far the commonest is the first one which is used to present internal servers to the internet on a public IP so that they can be accessed from the internet.

Edit - in relation to your specific question. If you used -

static (inside,dmz) 10.1.1.3 10.1.1.3 netmask 255.255.255.255 then yes you are correct in what you say. You do not need a NAT statement on the DMZ interface as the one static you have entered will work bi-directionally.

Jon

View solution in original post

Jon Marshall · ‎09-26-2011

Andrew

NAT is bidrectional so

static (inside,outside) 209.169.201.15 10.1.1.3 netmask 255.255.255.255 means -

1) packets with a source IP of 10.1.1.3 arriving on the inside interface and being routed via the outside interface will have the source IP changed to 209.165.201.15

and

2) packets with a destination address of 209.165.201.15 arriving on the outside interface and being routed via the inside interface will have the destination IP changed to 10;1.1.3

static (outside,inside) 10.1.1.3 209.165.201.15 netmask 255.255.255.255 means

1) packets arriving on the inside interface with a destination IP of 10.1.1.3 and being routed via the outside interface will have the destination IP changed to 209.165.201.15

and

2) packets arriving on the outside interface with a source IP of 209.165.201.15 and being routed via the inside interface will have the source IP changed to 10.1.1.3

Of the two statements by far the commonest is the first one which is used to present internal servers to the internet on a public IP so that they can be accessed from the internet.

Edit - in relation to your specific question. If you used -

static (inside,dmz) 10.1.1.3 10.1.1.3 netmask 255.255.255.255 then yes you are correct in what you say. You do not need a NAT statement on the DMZ interface as the one static you have entered will work bi-directionally.

Jon

Andrew Vlasek · ‎09-26-2011

When you said of the two statements the first one is is most commonly used you were referring to the second example right, but first statement right? The first example wouldn't be that common right:

static (outside,inside) 10.1.1.3 209.165.201.15 netmask 255.255.255.255

This where you modifying the source IP would be for like say your coming from a partner network and you use the same IP scheme or something? This is a bad example because it is using real addresses but say it was modifying a 10 network address to a 192 address is that correct? But thank you for your help your response definetely helped clarify things. I am just trying to make sure I have it all straight.

Jon Marshall · ‎09-27-2011

Andrew

Yes, apologies for the confusion. I meant the "static (inside,outside) ...." statement is much more commonly used.

An example of where i have used the "static (outside,inside) ..." was when we had a test network but we needed access to it from our production network. Our test network used a completely different IP range and i didn't want to have that range in our production routing tables.

So i picked an unused subnet from porduction addressing eg. 10.5.1.0/24 and then used that to NAT to test IP addresses eg.

static (outside,inside) 10.5.1.10 192.168.5.1 netmask 255.255.255.255

so from production you would connect to 10.5.1.10 (which was part of production addressing) and then when it got routed to the firewall it would be translated to the actual test network address 192.168.5.1

Hope that clarifies things.

Jon