02-02-2010 07:40 PM - edited 03-11-2019 10:04 AM
when using static identity NAT's, what is the best way to descirbe or read the actual statement. exp:
Solved! Go to Solution.
02-02-2010 08:26 PM
Well, the 10.1.1.0/24 the global address that the firewall is proxy arp for on the outside interface.
If the router on the outside asks "who has 10.1.1.x tell me" the firewall will say "I do. Send to me"
static (inside,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
let me change it as
static (inside,outside) FAKE REAL netmask 255.255.255.0 --- FW will proxy arp for the global/FAKE address on the outside interface.
When traffic arrives on the outside to the FAKE address it is sent to the REAL address on the inside interface.
When the REAL ip from the inside wants to go outside, it will look like the FAKE address on the outside.
In your case the FAKE address is the same as the REAL address and that is called identity NAT.
-KS
02-03-2010 03:27 AM
bruce.summers wrote:
when using static identity NAT's, what is the best way to descirbe or read the actual statement. exp:
static (inside,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0I read this as follows:when traffic is inbound (outside interface) the interface "inside" answers for subnet 10.1.1.0 when traffic is inbound from the outside interface...is that acurate?thanksbruce
Bruce
Just to add a different way of looking at it -
static NAT is biderctional so i read it as follows -
1) when a packet with a source IP of 10.1.1.x arrives on the inside interface of the firewall and the destination IP address is routed via the outside interface then leave the source IP unchanged and send the packet out of the outside interface
2) when a packet with a destination IP of 10.1.1.x arrives on the outside interface of the firewall, leave the destination ip address the same and send the packet out of the inside interface
Jon
02-02-2010 08:26 PM
Well, the 10.1.1.0/24 the global address that the firewall is proxy arp for on the outside interface.
If the router on the outside asks "who has 10.1.1.x tell me" the firewall will say "I do. Send to me"
static (inside,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
let me change it as
static (inside,outside) FAKE REAL netmask 255.255.255.0 --- FW will proxy arp for the global/FAKE address on the outside interface.
When traffic arrives on the outside to the FAKE address it is sent to the REAL address on the inside interface.
When the REAL ip from the inside wants to go outside, it will look like the FAKE address on the outside.
In your case the FAKE address is the same as the REAL address and that is called identity NAT.
-KS
02-03-2010 03:27 AM
bruce.summers wrote:
when using static identity NAT's, what is the best way to descirbe or read the actual statement. exp:
static (inside,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0I read this as follows:when traffic is inbound (outside interface) the interface "inside" answers for subnet 10.1.1.0 when traffic is inbound from the outside interface...is that acurate?thanksbruce
Bruce
Just to add a different way of looking at it -
static NAT is biderctional so i read it as follows -
1) when a packet with a source IP of 10.1.1.x arrives on the inside interface of the firewall and the destination IP address is routed via the outside interface then leave the source IP unchanged and send the packet out of the outside interface
2) when a packet with a destination IP of 10.1.1.x arrives on the outside interface of the firewall, leave the destination ip address the same and send the packet out of the inside interface
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide