Static in, global out? (NAT)

Answered Question
Oct 8th, 2008

Hello

I'm curious if its possible to use a static (inside,outside) for my server to receive connections from the outside, but reply with my global NAT IP?

Example

Server1 : 10.10.10.10

Public IP : 20.20.20.20

static (inside,outside) 20.20.20.20 10.10.10.10

access-lists are opened etc.

How can I control the NAT procedure to disable the server responce from being NAT'ed to the static. And being NAT'ed through my global statement instead?

I've scanned through the cisco NAT documentation but I might have missed it.

Thank you!

I have this problem too.
0 votes
Correct Answer by Frederick Reimer about 8 years 3 months ago

No, it can't - not over the same connection (TCP stream). The server can reply via the same NAT'd IP and port and tell the client to connect to a different IP address/port. Or, the server can ask the client what address IT is listening on, and connect to the client on that port via a different NAT'd address. That's kind of what FTP does with port 20/21.

HTH,

Fred Reimer

Senior Network Engineer

Coleman Technologies, Inc.

Correct Answer by Jon Marshall about 8 years 3 months ago

AFAIK you can't do this because the static statement is bi-directional so it applies both to the inbound and outbound traffic.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 10/08/2008 - 00:35

AFAIK you can't do this because the static statement is bi-directional so it applies both to the inbound and outbound traffic.

Jon

Frederick Reimer Wed, 10/08/2008 - 04:04

If I understand you correctly, you can't. The station out on the Internet thinks it is talking to your server via the public IP address in the static. If your server response is NAT'd to a different IP address the station on the Internet won't know anything about a connection to this different IP address, and will discard the packet. You can have all kinds of NAT between two systems, but at each end the source and destination IP addresses must match and be consistent. If server 1 thinks it is talking to 10.10.10.10 it HAS to get a response from 10.10.10.10 when the packet finally reaches server 1.

Now you can static PAT a specific port for a server, so that inbound connections to say port 80 for web traffic go to the server static IP address, but that any communications from the server out to other Internet hosts go out the global NAT/PAT address. However, even in this situation, traffic to/from the server on that specific port would be consistent.

So, I'm not sure what you're looking for. If it is as you describe, then it is not possible, but I think you may actually be looking for static PAT.

Fred Reimer

Senior Network Engineer

Coleman Technologies, Inc.

cisco24x7 Wed, 10/08/2008 - 04:28

What you're asking from can not be done with

ASA but it can be done with Checkpoint. So the

answer is it depends on the vendor(s)

Frederick Reimer Wed, 10/08/2008 - 04:31

No it can't. It doesn't matter what firewall vendor you use, if the response to the outside endpoint isn't the same IP address and port by the time it reaches the endpoint the packets will be discarded as not matching any open sockets.

Thanks,

Fred Reimer

Senior Network Engineer

Coleman Technologies, Inc.

Frederick Reimer Wed, 10/08/2008 - 04:58

I saw the message you posted and then retracted. What you want is what I mentioned before, static PAT.

static (inside,outside) tcp outsideip 80 insideip 80

That would allow communications with your insideip server via outsideip on port 80, but any other traffic originated by your server would follow your normal nat/global commands, which are probably:

nat (inside) 1 0 0

global (outside) 1 interface

HTH,

Fred Reimer

Senior Network Engineer

Coleman Technologies, Inc.

azore2007 Wed, 10/08/2008 - 05:09

Yes fred, thats correct.

On a more theory level, isnt it possible for a server app/program that in the communication that the internal server informs the connecting IP/PC that return traffic will come from another IP ?

But the program handles the sockets/connections?

Do I make sense?

Correct Answer
Frederick Reimer Wed, 10/08/2008 - 05:14

No, it can't - not over the same connection (TCP stream). The server can reply via the same NAT'd IP and port and tell the client to connect to a different IP address/port. Or, the server can ask the client what address IT is listening on, and connect to the client on that port via a different NAT'd address. That's kind of what FTP does with port 20/21.

HTH,

Fred Reimer

Senior Network Engineer

Coleman Technologies, Inc.

Actions

This Discussion