07-09-2011 06:49 PM - edited 03-11-2019 01:56 PM
Guys my head will explode an someone plz tell me the solution i want to do static NAT (one to one of course)
my real internal IP is for example 132.1.1.X i want to NAT it to 10.1.1.1/32 to a server coming from client (not internet) 10.25.1.1/32
Internal IP 132.1.1.X------> NAT to 10.1.1.1/32 (this subnet doesnt exsisit on any interface) -------> 10.25.1.1 extrernal IP
I have seen lot sof exampl eon cisco wesites but non xplain this way .....all explain that one to one like in my example 132.1.1.X will NAT to 10.25.1.1
Its easy i need the abpbe scenario
Thanks guys hope some Guru will help me
Thnaks
Solved! Go to Solution.
07-12-2011 06:27 PM
You don't have to worry about the NAT statement when it's static NAT because static NAT is bi-directional.
So you only need to configure nat (inside,outside), and traffic can be initiated from inside to outside, or from outside to inside.
Traffic that is initiated from outside will require access-list to allow inbound connection. Without the ACL, it will not be able to initiate inbound connection.
Traffic that is initiated from inside to outside, does not require any ACL by default, however, if you have implemented ACL to restrict outbound access, then you would need to explicitly allow those too.
07-13-2011 01:55 AM
No, you are absolutely right on the money
You will only need 1 static NAT and it will allow multiple connections towards the server.
07-14-2011 12:25 AM
The NAT (translation) itself is one to one, because you are only translating 1 ip address, ie: from
132.1.1.x to 10.1.1.1 and vice versa. However, how many client is trying to reach that static NAT translation does not matter because we are not translating the client. From your example above: we are not translating 192.168.1.1, or 1.2 or 1.3 or 1.4. IP Address that we translate is just 1, ie: from 132.1.1.x to 10.1.1.1.
07-10-2011 05:31 AM
Here we go:
object network obj-132.1.1.x
host 132.1.1.x
object network obj-10.1.1.1
host 10.1.1.1
object network obj-10.25.1.1
host 10.25.1.1
nat (inside,outside) source static obj-132.1.1.x obj-10.1.1.1 destination static obj-10.25.1.1 obj-10.25.1.1
So an internal host with ip address of 132.1.1.x when trying to access 10.25.1.1 will be NATed to 10.1.1.1.
07-10-2011 06:12 AM
Thanks you very much for your help as someone is out there with good knowledge :-) I am still confuse
so what will this do .....
hostname(config)# object network obj-132.1.1.x_DNS
hostname(config-network-object)# host 132.1.1..x
hostname(config-network-object)# nat (inside,outside) static 10.1.1.1
access-group outsidein in interface outside
access-list outsdein extended permit tcp host 10.237.64.1 host 132.1.1.X (real IP)
I have read this from cisco i need some help as really struggling
07-11-2011 05:29 AM
hostname(config)# object network obj-132.1.1.x_DNS
hostname(config-network-object)# host 132.1.1..x
hostname(config-network-object)# nat (inside,outside) static 10.1.1.1
The above is just a simple NAT, ie: inside host with IP Address of 132.1.1.x gets NATed to 10.1.1.1, no matter where the destination is.
If you are familiar with the old NAT feature, it's the same as:
static (inside,outside) 10.1.1.1 132.1.1.x netmask 255.255.255.255
07-11-2011 05:54 AM
Thanks Jennifer
So the example which you gave was source static i just want to know the difference between the two as commands are really different
I want that when someone from client try to access my 132.1.1 address the address get NAT to 10.1.1.1 so i will tell the client that the addres sis 10.1.1.1 rather then the original address.......so in that scenario which NAT shd i use.......mine or yours and plz tell me the difference between mine and yours
Thanks heaps
07-11-2011 06:27 AM
There are 2 types of NAT on ASA version 8.3 and above:
1) Object NAT
2) Twice NAT
Network Object NAT - is a simple NAT
Twice NAT - policy NAT
With my example, you will only use that if you only need to NAT the source when going to a specific destination. That is why you can see that in my example, there is destination object as well.
If you just want to NAT the source host and doesn't matter what the destination is (ie: destination is anything), then you can use your NAT example.
If you need to be very specific in your NAT statement (ie: policy NAT), then you will use Twice NAT (ie: my example).
If you need a generic NAT statement, then you can use Network Object NAT (ie: your example).
Here are the configuration guide on both NAT for your reference:
Network Object NAT:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html
Twice NAT:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_rules.html
Hope it makes sense.
07-12-2011 07:19 AM
Thanks Jennifer for such a brief and excellent reply u deserver 10/10. My last question/confusion is that if we do the NAT yours or mine it for the client coming from ouside coming to access our server or this na follow is from when our original server initiate a conection to outside as i am thinking abt the access-list shd i put it
access-list outsidein in inetrafce outside
as i am confise in
NAT (inside,outside)
NAT(outside,inside)
actually i need both that if my server initiates or someone inititae from outsode to this
thanks heaps (i guess this will be solve my problem and i can implement straight away
just t let you that we have dynamic NAT enables
0.0.0.0 0.0.0.0 which dynamic translated to 10.30.0.0/24 to outside (but that is for users not servers)
Thanks again
07-12-2011 06:27 PM
You don't have to worry about the NAT statement when it's static NAT because static NAT is bi-directional.
So you only need to configure nat (inside,outside), and traffic can be initiated from inside to outside, or from outside to inside.
Traffic that is initiated from outside will require access-list to allow inbound connection. Without the ACL, it will not be able to initiate inbound connection.
Traffic that is initiated from inside to outside, does not require any ACL by default, however, if you have implemented ACL to restrict outbound access, then you would need to explicitly allow those too.
07-12-2011 06:38 PM
Hi Jennifer
The best explanation i have ever recieved thanksyou so much for your time.....u r the best
07-12-2011 06:40 PM
Thanks for that
07-13-2011 01:51 AM
Hi Jennifer thanks again i will adding these rules tonight
second thing is that if multiple servers from client will be accessing this server for FTP
so if i create the follwoing
hostname(config)# object network obj-132.1.1.1
hostname(config-network-object)# host 132.1.1.1
hostname(config-network-object)# nat (inside,outside) static 10.1.1.1
hostname(config-network-object)#Object_group networok client_server
network object A (will create three for client)
network object B
network object C
access-list outsidein in outside permit tcp object_group client_server host 132.1.1.1 eq ftp
will that work as static NAT is one to one so just wondering if three servers will conect it simintaniously will that work
or for every server static nat would be different
:-) sorry i am bit dumb
thanks heaps
07-13-2011 01:55 AM
No, you are absolutely right on the money
You will only need 1 static NAT and it will allow multiple connections towards the server.
07-13-2011 07:16 AM
Thanks again.....but then its not static NAT as static is one to one right??? is it one to many then ??? This NAT is not letting me sleep properly :-)
In my above config four servers of customer
eg
192.168.1.1 will initiates connection FTP--------> 10.1.1.1 (NAT on my firewall)---------->132.1.1.1 real IP
192.168.1.2
192.168.1.3
192.168.1.4
so still it will be called static NAT how firewall will keep track of four system using one IP (ie NAT) as in PAT there are port numbers
Thanks again Jen
07-14-2011 12:25 AM
The NAT (translation) itself is one to one, because you are only translating 1 ip address, ie: from
132.1.1.x to 10.1.1.1 and vice versa. However, how many client is trying to reach that static NAT translation does not matter because we are not translating the client. From your example above: we are not translating 192.168.1.1, or 1.2 or 1.3 or 1.4. IP Address that we translate is just 1, ie: from 132.1.1.x to 10.1.1.1.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide