Solved: Static in, global out? (NAT)

azore2007 · ‎10-08-2008

Hello

I'm curious if its possible to use a static (inside,outside) for my server to receive connections from the outside, but reply with my global NAT IP?

Example

Server1 : 10.10.10.10

Public IP : 20.20.20.20

static (inside,outside) 20.20.20.20 10.10.10.10

access-lists are opened etc.

How can I control the NAT procedure to disable the server responce from being NAT'ed to the static. And being NAT'ed through my global statement instead?

I've scanned through the cisco NAT documentation but I might have missed it.

Thank you!

Jon Marshall · ‎10-08-2008

AFAIK you can't do this because the static statement is bi-directional so it applies both to the inbound and outbound traffic.

Jon

View solution in original post

Frederick Reimer · ‎10-08-2008

No, it can't - not over the same connection (TCP stream). The server can reply via the same NAT'd IP and port and tell the client to connect to a different IP address/port. Or, the server can ask the client what address IT is listening on, and connect to the client on that port via a different NAT'd address. That's kind of what FTP does with port 20/21.

HTH,

Fred Reimer

Senior Network Engineer

Coleman Technologies, Inc.

View solution in original post

Jon Marshall · ‎10-08-2008

AFAIK you can't do this because the static statement is bi-directional so it applies both to the inbound and outbound traffic.

Jon

azore2007 · ‎10-08-2008

Thank you Jon

Thought it was the case.

Frederick Reimer · ‎10-08-2008

If I understand you correctly, you can't. The station out on the Internet thinks it is talking to your server via the public IP address in the static. If your server response is NAT'd to a different IP address the station on the Internet won't know anything about a connection to this different IP address, and will discard the packet. You can have all kinds of NAT between two systems, but at each end the source and destination IP addresses must match and be consistent. If server 1 thinks it is talking to 10.10.10.10 it HAS to get a response from 10.10.10.10 when the packet finally reaches server 1.

Now you can static PAT a specific port for a server, so that inbound connections to say port 80 for web traffic go to the server static IP address, but that any communications from the server out to other Internet hosts go out the global NAT/PAT address. However, even in this situation, traffic to/from the server on that specific port would be consistent.

So, I'm not sure what you're looking for. If it is as you describe, then it is not possible, but I think you may actually be looking for static PAT.

Fred Reimer

Senior Network Engineer

Coleman Technologies, Inc.

cisco24x7 · ‎10-08-2008

What you're asking from can not be done with

ASA but it can be done with Checkpoint. So the

answer is it depends on the vendor(s)

azore2007 · ‎10-08-2008

How does the checkpoint do it?

Frederick Reimer · ‎10-08-2008

No it can't. It doesn't matter what firewall vendor you use, if the response to the outside endpoint isn't the same IP address and port by the time it reaches the endpoint the packets will be discarded as not matching any open sockets.

Thanks,

Fred Reimer

Senior Network Engineer

Coleman Technologies, Inc.

azore2007 · ‎10-08-2008

edited,

Frederick Reimer · ‎10-08-2008

I saw the message you posted and then retracted. What you want is what I mentioned before, static PAT.

static (inside,outside) tcp outsideip 80 insideip 80

That would allow communications with your insideip server via outsideip on port 80, but any other traffic originated by your server would follow your normal nat/global commands, which are probably:

nat (inside) 1 0 0

global (outside) 1 interface

HTH,

Fred Reimer

Senior Network Engineer

Coleman Technologies, Inc.

azore2007 · ‎10-08-2008

Yes fred, thats correct.

On a more theory level, isnt it possible for a server app/program that in the communication that the internal server informs the connecting IP/PC that return traffic will come from another IP ?

But the program handles the sockets/connections?

Do I make sense?

Frederick Reimer · ‎10-08-2008

No, it can't - not over the same connection (TCP stream). The server can reply via the same NAT'd IP and port and tell the client to connect to a different IP address/port. Or, the server can ask the client what address IT is listening on, and connect to the client on that port via a different NAT'd address. That's kind of what FTP does with port 20/21.

HTH,

Fred Reimer

Senior Network Engineer

Coleman Technologies, Inc.

azore2007 · ‎10-08-2008

Thank you Fred, you made sense.

Thanks