02-04-2021 11:19 PM - edited 02-04-2021 11:34 PM
nat (inside,outside) source dynamic NAT-POOL interface destination static obj-10.5.5.0 obj-10.5.5.0 --->meaning
nat(real int,mapped int) source dynamic (real source)(mapped source) destination static (real dest) (mapped dest)
What i understood from above NAT statement is:
1)It performs dynamic PAT between the "inside" interface & "outside" interface.
2)It performs PAT only when the source network is from NAT-POOL and destination is obj-10.5.5.0
3) If source from NAT-POOL connects to remote obj-10.5.5.0, it will use the interface ip address of "outside" interface for dynamic PAT translation.
NAT-POOL consist of
10.7.7.0/24
obj-10.5.5.0 consist of
10.5.5.0/24
on My firewall below is NAT statement.
Manual NAT Policies (Section 1)
nat (inside,outside) source dynamic NAT-POOL interface destination static obj-10.5.5.0 obj-10.5.5.0
!
Auto NAT Policies (Section 2)
object network obj-10.7.7.190
nat (inside,outside) static 10.5.5.190
!
My question is what if source is 10.5.5.5 (or any other IP from 10.5.5.0/24) and destination is 10.7.7.190
It must be matching Section 1 NAT, that's why i am getting below rpf-check drop. But i am not sure how this NAT is being checked.
Firewall is dropping this
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source dynamic NAT-POOL interface destination static obj-10.5.5.0 obj-10.5.5.0
Additional Information:
Many Thanks in advance.
03-26-2021 11:19 AM
I'm not sure what you're trying to do; it seems like you're trying to use a pool for outside IP. Lets take it back a notch and just make a simple nat to allow traffic out. You have two nats.. remove the auto nat on the network object... OR.. add it back and remove the manual nat.. one or the other.
Manual NAT Policies (Section 1)
nat (inside,outside) source dynamic any interface(this will nat the inside network and use the outside interface Ip for translations.)
OR- not both--
Auto NAT Policies (Section 2)
object network obj-10.7.7.190
Nat(inside,outside) source dynamic interface
If you want one machine to have a specific outside IP and it's the only host that lives on that IP like my mail server; you'd do this and then create associated acl's. A NAT and it's ACL are like a left and a right hand, they go together. If you want more than one host to share an IP.. Use an Object group in the nat statement. The FW will track the connections.. seen by 'sh xlate'
nat (servers,outside) source static obj_inside_host obj_Public.ip.address
access-list outside_access_in extended deny tcp any host 172.16.6.115 eq 445
access-list outside_access_in extended deny tcp any host 172.16.6.115 eq 3389
access-list outside_access_in extended deny icmp any host 172.16.6.115
access-list outside_access_in extended deny udp any host 172.16.6.115 eq 389
access-list outside_access_in extended deny tcp any host 172.16.6.115 eq ldap
access-list outside_access_in extended permit tcp any host 172.16.6.115 eq smtp
access-list outside_access_in extended permit tcp any host 172.16.6.115 eq 587
access-list outside_access_in extended permit tcp any host 172.16.6.115 eq https
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide