Solved: Re: How Packets Move Through NAT Network

MrBeginner · ‎07-05-2020

Hi ,

i wold like to ask about packet move trough nat network.

i understand basically how to move through network.i knew that source mac is never change in routing/switching network.As per below diagram server2 mac is never change to reach to server1.

if i will do inside and outside NAT on firewall,i confuse Server 1 mac will change to firewall mac in source mac address to reach server 1 ?

if i want to restrict the access with MAC to server1 to Server2,which mac should i use?

Seb Rupik · ‎07-06-2020

The source and destination MAC address will be changed as the packet is decapsulated and encapsulated between different broadcast domains.

Looking at your topology, bu the time the packet from server1 arrives at server2, both the original source IP and MAC will have been removed/changed in the headers. The NAT firewall outside IP will probably be used by many translated packets as will the MAC address of the 'routing FW'. This are not very unique attirbutes to base an ACL on!

You best bet would be to create a 1:1 static NAT on the 'NAT FW' to give a unique 'outside' IP address for all traffic streams to and from server1.

cheers,

Seb.

View solution in original post

Seb Rupik · ‎07-05-2020

Hi there,

In a stream from server1 to server2, the final source MAC address that server2 will see belongs to the 'inside' interface of the 'routing FW'.

Remember that every routing hop will change the source/ destination MAC of a frame.

The source/ destination IP of a packet will remain the same each hop, expect when NAT is performed: SNAT or DNAT or both. In your case it is the source IP that will be changed to the 'outside' interface of the NAT FW.

cheers,

Seb.

MrBeginner · ‎07-05-2020

hi,

My understand is destination MAC only change.is it wrong ?

As per your explanation , if i want to allow server 1 ip and mac only to access to server 2,i need to configure server 1 ip and firewall outside interface need to allow ?

Seb Rupik · ‎07-06-2020

The source and destination MAC address will be changed as the packet is decapsulated and encapsulated between different broadcast domains.

Looking at your topology, bu the time the packet from server1 arrives at server2, both the original source IP and MAC will have been removed/changed in the headers. The NAT firewall outside IP will probably be used by many translated packets as will the MAC address of the 'routing FW'. This are not very unique attirbutes to base an ACL on!

You best bet would be to create a 1:1 static NAT on the 'NAT FW' to give a unique 'outside' IP address for all traffic streams to and from server1.

cheers,

Seb.

MrBeginner · ‎07-06-2020

Hi ,

I have only one WAN ip in NAT side and we have 3 servers ( server1,server3 and server 4)

so i cannot do 1:1 nat with 1 WAN ip correct ?

but i can do dynamic nat for outside access ( to access server 2 ) ,correct ?

Seb Rupik · ‎07-06-2020

With only one public address for NAT, then yes, static NAT is not an option. As you correctly point out, dynamic NAT is the only solution you can use, but this does not make traffic streams from server1 identifiable for policing via an ACL.

cheers,

Seb.

MrBeginner · ‎07-08-2020

hi ,

i have another question.

If i want all sever1,3,4 access to server2 and server 2 want to access to server 1 only, how to do ?

I only have 1 public ip only.

please help me to provide command sample ?