Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1898
Views
0
Helpful
1
Replies

nat (inside,outside) source dynamic NAT-POOL interface destination static obj-10.5.5.0 obj-10.5.5.0

Nitesh_A
Level 1
Level 1

‎02-04-2021 11:19 PM - edited ‎02-04-2021 11:34 PM

nat (inside,outside)   source dynamic NAT-POOL interface destination static obj-10.5.5.0 obj-10.5.5.0 --->meaning

nat(real int,mapped int) source dynamic (real source)(mapped source) destination static (real dest) (mapped dest)

 

What i understood from above NAT statement is:

1)It performs dynamic PAT between the "inside" interface & "outside" interface.

2)It performs PAT only when the source network is from NAT-POOL and destination is obj-10.5.5.0

3) If source from NAT-POOL connects to remote obj-10.5.5.0, it will use the interface ip address of "outside" interface for dynamic PAT translation.

 

NAT-POOL consist of

10.7.7.0/24

obj-10.5.5.0 consist of

10.5.5.0/24

 

on My firewall below is NAT statement.

Manual NAT Policies (Section 1)

nat (inside,outside) source dynamic NAT-POOL interface destination static obj-10.5.5.0 obj-10.5.5.0

!

Auto NAT Policies (Section 2)

object network obj-10.7.7.190
nat (inside,outside) static 10.5.5.190

!

 

My question is what if source is 10.5.5.5 (or any other IP from 10.5.5.0/24) and destination is 10.7.7.190

It must be matching Section 1 NAT, that's why i am getting below rpf-check drop. But i am not sure how this NAT is being checked.

 

 

Firewall is dropping this

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source dynamic NAT-POOL interface destination static obj-10.5.5.0 obj-10.5.5.0
Additional Information:

 

Many Thanks in advance.

 

 

Labels:
0 Helpful
1 Reply 1

chadbaird2431
Level 1
Level 1

‎03-26-2021 11:19 AM

I'm not sure what you're trying to do; it seems like you're trying to use a pool for outside IP. Lets take it back a notch and just make a simple nat to allow traffic out.  You have two nats.. remove the auto nat on the network object...  OR.. add it back and remove the manual nat.. one or the other. 

 

Manual NAT Policies (Section 1) 

nat (inside,outside) source dynamic any interface(this will nat the inside network and use the outside interface Ip for translations.) 

OR- not both--

Auto NAT Policies (Section 2)

object network obj-10.7.7.190
Nat(inside,outside) source dynamic interface

 

If you want one machine to have a specific outside IP and it's the only host that lives on that IP like my mail server; you'd do this and then create associated acl's. A NAT and it's ACL are like a left and a right hand, they go together. If you want more than one host to share an IP.. Use an Object group in the nat statement. The FW will track the connections.. seen by 'sh xlate'

 

nat (servers,outside) source static obj_inside_host  obj_Public.ip.address

 

access-list outside_access_in extended deny tcp any host 172.16.6.115 eq 445
access-list outside_access_in extended deny tcp any host 172.16.6.115 eq 3389
access-list outside_access_in extended deny icmp any host 172.16.6.115
access-list outside_access_in extended deny udp any host 172.16.6.115 eq 389
access-list outside_access_in extended deny tcp any host 172.16.6.115 eq ldap
access-list outside_access_in extended permit tcp any host 172.16.6.115 eq smtp
access-list outside_access_in extended permit tcp any host 172.16.6.115 eq 587
access-list outside_access_in extended permit tcp any host 172.16.6.115 eq https

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents