04-12-2008 03:35 AM - edited 03-11-2019 05:30 AM
i have a query about the static NAT command.
if the command static (outside,inside) is entered i believe this is a reverse of the static (inside, outside); in other words the source is changed to whatever is specified in the command.
on this basis the following commands would be incorrect for port forwarding;
static (inside,outside) 209.165.202.135 10.100.1.2 mask 255.255.255.255
static (outside,inside) 10.100.1.2 209.165.202.135 mask 255.255.255.255
i assume the above would cause an IP conflict as 10.100.1.2 would be both a host on the internal network and a NAT IP address present on the firewall.
this brings me to my question.... how can you NAT your outbound email out on one address; ie mail server internal address is 10.101.1.1 and should be NAT'ed out to 213.44.32.161, but have any inbound email to 213.44.32.161 forwarding to a different email server on 10.101.1.2?
i am not sure how to do this using static NAT commands on Cisco as it seems the static(inside,outside) command creates a one 2 one mapping only?
please help
04-12-2008 05:05 PM
Mike,
I am afraid you can't setup NAT to translate two inside hosts to use the same global address for the same ports. I assume both inside hosts use SMTP, one inbound and one outbound.
HTH
Sundar
04-13-2008 01:20 PM
Hi Mike,
static (outside,inside) is not a simply reverse of the static (inside,outside). One of the most popular usage is to hide a internal private IP with a public IP from Internet, which is like your first command "static(inside,outside) 209.165.202.135 10.100.1.2 mask 255.255.255.255"
Your second command is used in such a rare scenario:
You want to hide an destination IP 209.165.202.135 from inside users by giving them the IP 10.100.1.2.When traffic leaving outside interface, destination IP will be translated from 10.100.1.2 to 209.165.202.135.
To answer your second question, it can be achieved by policy nat/pat. There could be multiple combinations, I give you 2 examples.The codes not been verified, please test it if you plan to put it in production.
1. static PAT + policy PAT
access-list smtp_outbound permit tcp host 10.101.1.1 any eq smtp
nat (inside) 2 access-list smtp_outbound
global (outside) 2 213.44.32.161
static (inside,outside) tcp 213.44.32.161 smtp 10.101.1.2 smtp netmask 255.255.255.255
2. policy static PAT
access-list smtp_outbound permit tcp host 10.101.1.1 any eq smtp
access-list smtp_inbound permit tcp host 10.101.1.2 eq smtp any
static (inside,outside) 213.44.32.161 access-list smtp_outbound
staitc (inside,outside) 213.44.32.161 access-list smtp_inbound
04-14-2008 12:14 AM
thanks thats excellent.
i was certain this was achievable our my old Checkpoint box. By translating the destination...
Ah well
04-14-2008 03:44 AM
i have just checked and currently on our firewall (which i did not configure) we have the following 2 sets of static NAT statements
static (inside,outside) 27.18.11.139 10.1.1.1 netmask 255.255.255.255
static (outside,inside) 10.1.1.1 27.18.11.139 netmask 255.255.255.255
this seems incorrect to me as 10.1.1.1 is an internal host which is NAT'ed outbound to 27.18.11.139.
yet the static (outside,inside) command is also hiding 27.18.11.139 to the internal network as 10.1.1.1 in the NAT translation the other way.
surely this is incorrect and cannot work?
04-14-2008 08:28 AM
Hi , I believe it was wrong for the second "static", because it doesn't make sense when it come together with the first "static".
Followed is a summary of my understanding for natting behavior of "static":
static (real_ifc,mapped_ifc) mapped_ip real_ip
Static NAT is a "bi-directional" NAT, which means traffic can be initiated from both sides of firewall with different security levels when NAT occurs.
1. Traffic ingress interface is "real_ifc", egress interface is "mapped_ifc"
Traffic entering "real_ifc" and leaving "mapped_ifc", source IP with "real_ip" will be translated to "mapped_ip"(nat-src); the returned traffic entering "mapped_ifc" and leaving "real_ifc",destination Ip with "mapped_ip" will be translated to "real_ip" (nat-dst).
2. Traffic ingress interface is "mapped_ifc",egress interface is "real_ifc"
Traffic entering "mapped_ifc" and leaving "real_ifc",destination IP with "mapped_ip" will be translated to "real_ip" (nat-dst); the returned traffic entering "real_ifc" and leaving "mapped_ifc",source IP with "real_ip" will be translated to "mapped_ip" (nat-src).
HTH
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: