10-08-2008 12:09 AM - edited 03-11-2019 06:54 AM
Hello
I'm curious if its possible to use a static (inside,outside) for my server to receive connections from the outside, but reply with my global NAT IP?
Example
Server1 : 10.10.10.10
Public IP : 20.20.20.20
static (inside,outside) 20.20.20.20 10.10.10.10
access-lists are opened etc.
How can I control the NAT procedure to disable the server responce from being NAT'ed to the static. And being NAT'ed through my global statement instead?
I've scanned through the cisco NAT documentation but I might have missed it.
Thank you!
Solved! Go to Solution.
10-08-2008 12:35 AM
AFAIK you can't do this because the static statement is bi-directional so it applies both to the inbound and outbound traffic.
Jon
10-08-2008 05:14 AM
No, it can't - not over the same connection (TCP stream). The server can reply via the same NAT'd IP and port and tell the client to connect to a different IP address/port. Or, the server can ask the client what address IT is listening on, and connect to the client on that port via a different NAT'd address. That's kind of what FTP does with port 20/21.
HTH,
Fred Reimer
Senior Network Engineer
Coleman Technologies, Inc.
10-08-2008 12:35 AM
AFAIK you can't do this because the static statement is bi-directional so it applies both to the inbound and outbound traffic.
Jon
10-08-2008 02:16 AM
Thank you Jon
Thought it was the case.
10-08-2008 04:04 AM
If I understand you correctly, you can't. The station out on the Internet thinks it is talking to your server via the public IP address in the static. If your server response is NAT'd to a different IP address the station on the Internet won't know anything about a connection to this different IP address, and will discard the packet. You can have all kinds of NAT between two systems, but at each end the source and destination IP addresses must match and be consistent. If server 1 thinks it is talking to 10.10.10.10 it HAS to get a response from 10.10.10.10 when the packet finally reaches server 1.
Now you can static PAT a specific port for a server, so that inbound connections to say port 80 for web traffic go to the server static IP address, but that any communications from the server out to other Internet hosts go out the global NAT/PAT address. However, even in this situation, traffic to/from the server on that specific port would be consistent.
So, I'm not sure what you're looking for. If it is as you describe, then it is not possible, but I think you may actually be looking for static PAT.
Fred Reimer
Senior Network Engineer
Coleman Technologies, Inc.
10-08-2008 04:28 AM
What you're asking from can not be done with
ASA but it can be done with Checkpoint. So the
answer is it depends on the vendor(s)
10-08-2008 04:30 AM
How does the checkpoint do it?
10-08-2008 04:31 AM
No it can't. It doesn't matter what firewall vendor you use, if the response to the outside endpoint isn't the same IP address and port by the time it reaches the endpoint the packets will be discarded as not matching any open sockets.
Thanks,
Fred Reimer
Senior Network Engineer
Coleman Technologies, Inc.
10-08-2008 04:41 AM
edited,
10-08-2008 04:58 AM
I saw the message you posted and then retracted. What you want is what I mentioned before, static PAT.
static (inside,outside) tcp outsideip 80 insideip 80
That would allow communications with your insideip server via outsideip on port 80, but any other traffic originated by your server would follow your normal nat/global commands, which are probably:
nat (inside) 1 0 0
global (outside) 1 interface
HTH,
Fred Reimer
Senior Network Engineer
Coleman Technologies, Inc.
10-08-2008 05:09 AM
Yes fred, thats correct.
On a more theory level, isnt it possible for a server app/program that in the communication that the internal server informs the connecting IP/PC that return traffic will come from another IP ?
But the program handles the sockets/connections?
Do I make sense?
10-08-2008 05:14 AM
No, it can't - not over the same connection (TCP stream). The server can reply via the same NAT'd IP and port and tell the client to connect to a different IP address/port. Or, the server can ask the client what address IT is listening on, and connect to the client on that port via a different NAT'd address. That's kind of what FTP does with port 20/21.
HTH,
Fred Reimer
Senior Network Engineer
Coleman Technologies, Inc.
10-08-2008 05:17 AM
Thank you Fred, you made sense.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: