Regarding Static NAT

Unanswered Question
Jan 1st, 2009
User Badges:

Hi team,


We use static (inside, outside) IP1 IP2 where IP1 is the IP which is to be translated and IP2 is the IP which is translated.This command is used for accessing from outside to inside..Sameway if we want to access something from internal to external whether the command syntax will change to:-

static(inside,outside) IP2 IP1


2. I have seen the commands static (inside,dmz); static(dmz,outside)---These commands are for accessing from DMZ to inside and outside to DMZ respectedly.


Is it possible to use the commands static(dmz,inside) and static(outside,dmz) to access in reverse direction

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andrew.prince@m... Fri, 01/02/2009 - 04:50
User Badges:
  • Green, 3000 points or more

Yes it is possible for the (dmz,inside) - but I would really think about the (outside,dmz) why would you really want to NAT an external public IP address onto your DMZ???


HTH>

palsukh2002 Sun, 01/04/2009 - 19:07
User Badges:

1. I want to NAT external IP to DMZ because suppose I have kept my DMZ on private network.


2. My main question is when we are doing static nat for access from outside to inside we use:-

static(inside,outside) IP1 IP2


When we are accessing from inside to outside then whether the command syntax will be

static(inside,outside)IP2 IP1 OR


static(outside,inside) IP2 IP1


here IP2 is IP for outside and IP1 is IP for inside



Sameway whether the syntax will change accordingly when we access from inside to DMZ OR from DMZ to outside.

godinerik Sun, 01/04/2009 - 19:21
User Badges:

Ok, I got curious and wanted to test this out. Here's what I did:


I have a server with 3 outside IPs. 1.1.1.2, 1.1.1.3, 1.1.1.4


associated to 3 inside IPs 192.168.1.2,3 and 4.



So what I did, I removed my nat/global statements, added an inside,outside and then outside,inside statement for one IP, and left two other IPs with only an outside,inside statement.



I initiated an SSH connection to 1.1.1.4 (Ip which has both inside,outside and outside,inside). I tried pinging with that IP (ping -I 192.168.1.4). Connection makes it to an external IP.



When I try pinging using an IP which only has an outside,inside statement without a inside,outside then that doesn't work.



Conclusion: it seems like you can avoid NAT/GLOBAL statements all together, however if you intend to have bi-directional traffic, you'll need both inside,outside and outside,inside for each IP which will need bi-directional communications.

palsukh2002 Mon, 01/05/2009 - 17:25
User Badges:

OK,


But if I donot need bidirectional access ..I only need to access from inside o outside using static NAT coomand(ofcourse we can use nat/global command for that)..Then can we use simply the following command:-


static(outside,inside) IP1 IP2


Where IP1 is IP to be Translated and IP2 is translated IP.


Am I right?


Because in Checkpoint we use static NAT for inside to outside(most of the time it is one way).



2. This also means we can use the commands


static (DMZ, inside) and static (outside ,dmz) also..which means we can access from inside to DMZ and from DMZ to outside respectedly.Am I right?

godinerik Mon, 01/05/2009 - 20:35
User Badges:

Hi,



If you only need access from inside to outside (and not the other way around) then I would recommend either DynNAT or PAT. This has the advantage of sparing your routable IPs for future use. PAT:



nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface




This will allow inside hosts to initiate connections to the outside interface. Please note that the connections will always originate from your firewall's IP. In theory, this could support 65000+ connections (since the connection always originates from your FW's IP and it will use one source port per connection)



Dynamic NAT:


nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 74.213.AAA.AAA-74.213.AAA.FFF



This would allow you to associate a big pool of internal hosts to a smaller pool of external IPs.



Of course, in both cases, the NAT statement can be replaced by an address and it's appropriate netmask to target only a particular subnet.



Yes, you could also use static (dmz,inside) or (outside,dmz) however keep in mind this is going to be STATIC which means you'll need 1-to-1 (one external host for every internal host)



To only allow access from inside to outside, using STATIC NAT command, you can:


static (outside,inside) 192.168.100.2 74.213.XX.XX netmask 255.255.255.255


This will allow connections from inside to outside as well as their return traffic, however someone on the outside interface trying to initiate a connection to one of the mapped IPs won't be able to get through.


HTH.

Actions

This Discussion