Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1269
Views
5
Helpful
4
Replies

Understanding difference between these two NAT statements

Madura Malwatte
Level 4
Level 4

‎11-11-2019 02:38 PM - edited ‎02-21-2020 09:41 AM

I am just trying to understand the difference between the below two  NAT statements. As far as I can tell both seem identical?

Number 1. allows any outside ip to hit  the public ip of FTD 104.4.4.4 on port 80 which gets translated to destination of web_server port 80.

Number 2. translates the web_server port 80 to public 104.4.4.4 port 80. so anyone from outside can hit 104.4.4.4 and access the web-server.  

What's the difference between these two, am I missing something?

 

Screen Shot 2019-11-12 at 2.02.28 am.jpg

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-11-2019 07:07 PM

Neither one is the recommended configuration.

In the first case the logic is "outside,inside". You have both an original service and http application specified. In the second case, the logic is "inside,outside" but it specifies the service as only tcp/80. So if the web server as trying to reach the Internet for any other services it would not hit the NAT rule and would instead use whatever global NAT (if any) you have configured.

Recommended would be to have an "inside,outside" NAT rule (ideally using a DMZ and not the whole inside network to limit exposure). Combine that with an Access Control Policy entry allowing the incoming traffic via http application only.

 

Madura Malwatte
Level 4
Level 4
In response to Marvin Rhoads

‎12-11-2019 02:28 PM

Hi @Marvin Rhoads , thanks for the response. This was just an example and understood about the best practice to  NAT from the dmz.

However in terms of the two NAT statements, is there a recommended way to configure it - "outside,dmz" or "dmz,outside" if we are trying to reach a web service in the dmz from public?

Refer to the image, I see no difference in the what these NAT statements will do, but which way is the recommended way to configure? I will have ACP rules to only permit public access to dmz server on http.

nat test.jpg

Preview file
90 KB
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Madura Malwatte

‎12-12-2019 06:46 PM

"dmz,outside" would be the recommended method and they way I have used and seen used on 99% of the hundreds of ASA and FTD deployments I've done.

0 Helpful

Madura Malwatte
Level 4
Level 4
In response to Marvin Rhoads

‎12-15-2019 03:09 PM

Hi Marvin,

Thanks for confirming.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card