FWSM Static NAT - Source and Destination

Answered Question
Apr 22nd, 2009

hi,

In the below config, how is it identifiable that the NAT is on the source IP or the destination IP. How is it possible to do source as well as destination NAT on the same traffic at the time.

static (OUTSIDE,INSIDE) 192.168.2.40 10.10.10.40 netmask 255.255.255.255

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 7 months ago

Static NAT is bi-directional so source IP and destination IP are relative to the inside and outside interfaces of the firewall.

So

static (inside,outside) 192.168.2.40 10.10.10.40 netmask 255.255.255.255

means

1) traffic from a source IP on the inside of 10.10.10.40 will be natted to 192.168.2.40 as it leaves the outside interface of the firewall

2) traffic from outside with a destination IP address of 192.168.2.40 will be natted to 10.10.10.40 as it leaves the inside interfade of the firewall

static (outside,inside) 192.168.2.40 10.10.10.40 netmask 255.255.255.255

means

1) traffic from the inside with a destination IP of 192.168.2.40 will be natted to 10.10.10.40 as it leaves the outside interface of the firewall

2) traffic from the outside with a source IP address of 10.10.10.40 will translated to 192.168.2.40 as it leaves the inside interface of the firewall.

If you want to do both simply use 2 statics eg.

src IP on inside = 192.168.10.1

dst IP on inside = 172.16.5.10

src IP on outside = 10.5.1.1

dst IP on outside = 10.10.10.1

static (inside,outside) 10.5.1.1 192.168.10.1 netmask 255.255.255.255

static (outside,inside) 172.16.5.10 10.10.10.1 netmask 255.255.255.255

Does this help ?

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 04/23/2009 - 01:33

Static NAT is bi-directional so source IP and destination IP are relative to the inside and outside interfaces of the firewall.

So

static (inside,outside) 192.168.2.40 10.10.10.40 netmask 255.255.255.255

means

1) traffic from a source IP on the inside of 10.10.10.40 will be natted to 192.168.2.40 as it leaves the outside interface of the firewall

2) traffic from outside with a destination IP address of 192.168.2.40 will be natted to 10.10.10.40 as it leaves the inside interfade of the firewall

static (outside,inside) 192.168.2.40 10.10.10.40 netmask 255.255.255.255

means

1) traffic from the inside with a destination IP of 192.168.2.40 will be natted to 10.10.10.40 as it leaves the outside interface of the firewall

2) traffic from the outside with a source IP address of 10.10.10.40 will translated to 192.168.2.40 as it leaves the inside interface of the firewall.

If you want to do both simply use 2 statics eg.

src IP on inside = 192.168.10.1

dst IP on inside = 172.16.5.10

src IP on outside = 10.5.1.1

dst IP on outside = 10.10.10.1

static (inside,outside) 10.5.1.1 192.168.10.1 netmask 255.255.255.255

static (outside,inside) 172.16.5.10 10.10.10.1 netmask 255.255.255.255

Does this help ?

Jon

Actions

This Discussion