03-22-2019 01:07 AM - edited 02-21-2020 08:58 AM
Hi to all,
on the basis of a re-certification I am dealing with the NAT topic more intensively the last few days and I`d like to ask the following question. I want to implement the following static PAT for Telnet Access from external to Outside-IP: 200.200.200.200 (Inside-IP Server01 = 192.168.1.4)
because in object NAT (Auto-NAT) only a single NAT statement can be used per object. I'd have to create an object for each port to be forwarded - it is for the same internal host, so i'd like to know if I can accomplish that task with the respective configurations and if there are any advantages or disadvantages between them...
(1)
object network obj-host-200.200.200.200_TCP-23
host 200.200.200.200
!
object network obj-host-200.200.200.200_TCP-2323
host 200.200.200.200
!
object network obj-host-192.168.1.4_TCP-23
host 192.168.1.4
nat (inside,outside) static obj-host-200.200.200.200_TCP-23 service tcp 23 23
!
object network obj-host-192.168.1.4_TCP-2323
host 192.168.1.4
nat (inside,outside) static obj-host-200.200.200.200_TCP-2323 service tcp 2323 23
or maybe this works also?
object network obj-host-200.200.200.200
host 200.200.200.200
!
object network obj-host-192.168.1.4_TCP-23
host 192.168.1.4
nat (inside,outside) static obj-host-200.200.200.200 service tcp 23 23
!
object network obj-host-192.168.1.4_TCP-2323
host 192.168.1.4
nat (inside,outside) static obj-host-200.200.200.200 service tcp 2323 23
versus
(2)
object service TCP-23
service tcp destination eq 23
!
object service TCP-2323
service tcp destination eq 2323
!
!
object network obj-host-192.168.1.4
host 192.168.1.4
!
object network obj-host-200.200.200.200
host 200.200.200.200
!
!
nat (outside,inside) source static any any destination static obj-host-200.200.200.200 obj-host-192.168.1.4 service TCP-23 TCP-23
nat (outside,inside) source static any any destination static obj-host-200.200.200.200 obj-host-192.168.1.4 service TCP-2323 TCP-23
03-23-2019 08:17 AM
The main difference between manual NAT and after-auto manual NAT versus object NAT is the way NAT statements are matched. In manual NAT and after-auto manual NAT statements are matched in a top down fashion, while in object NAT, NAT statements are matched on the longest prefix match.
As for your configuration examples. I am not sure why you are creating two objectes for both 200.200.200.200 and 192.168.1.4. the object just needs to be created once and then you can reuse them in several NAT statements if wanted. But your configuration look correct.
Your manual NAT statement, here I disagree with using outside NAT statements unless there is a very good reason for doing so. Your NAT statements should be sourced from inside to outside. If you have configured outside NAT incorrectly you could also see some unexpected behavior depending on how you network is set up.
03-29-2019 11:11 PM
Hi @Marius Gunnerud ,
first of all - thank you for responding to my questions!
of course the first statement according the two objectes for both 200.200.200.200 and 192.168.1.4 would`t be necessary but for the second one (see as follows), the Object NAT-PAT (200.200.200.200 is pointing back with two different TCP/Ports it is, or not?
object network obj-host-192.168.1.4_TCP-23
host 192.168.1.4
nat (inside,outside) static obj-host-200.200.200.200 service tcp 23 23
!
object network obj-host-192.168.1.4_TCP-2323
host 192.168.1.4
nat (inside,outside) static obj-host-200.200.200.200 service tcp 2323 23
about the Manual-NAT... is there any official Cisco recommendation for doing only NAT sourced from inside->outside or is this your personal experience? Maybe you can point me out some unexpected behaviors from your Knowledge which could be caused?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide