FWSM Static NAT - Source and Destination

Answered Question
Apr 22nd, 2009
User Badges:

hi,


In the below config, how is it identifiable that the NAT is on the source IP or the destination IP. How is it possible to do source as well as destination NAT on the same traffic at the time.


static (OUTSIDE,INSIDE) 192.168.2.40 10.10.10.40 netmask 255.255.255.255


Correct Answer by Jon Marshall about 8 years 3 months ago

Static NAT is bi-directional so source IP and destination IP are relative to the inside and outside interfaces of the firewall.


So


static (inside,outside) 192.168.2.40 10.10.10.40 netmask 255.255.255.255


means


1) traffic from a source IP on the inside of 10.10.10.40 will be natted to 192.168.2.40 as it leaves the outside interface of the firewall


2) traffic from outside with a destination IP address of 192.168.2.40 will be natted to 10.10.10.40 as it leaves the inside interfade of the firewall



static (outside,inside) 192.168.2.40 10.10.10.40 netmask 255.255.255.255


means


1) traffic from the inside with a destination IP of 192.168.2.40 will be natted to 10.10.10.40 as it leaves the outside interface of the firewall


2) traffic from the outside with a source IP address of 10.10.10.40 will translated to 192.168.2.40 as it leaves the inside interface of the firewall.


If you want to do both simply use 2 statics eg.


src IP on inside = 192.168.10.1

dst IP on inside = 172.16.5.10


src IP on outside = 10.5.1.1

dst IP on outside = 10.10.10.1


static (inside,outside) 10.5.1.1 192.168.10.1 netmask 255.255.255.255


static (outside,inside) 172.16.5.10 10.10.10.1 netmask 255.255.255.255


Does this help ?


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 04/23/2009 - 01:33
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Static NAT is bi-directional so source IP and destination IP are relative to the inside and outside interfaces of the firewall.


So


static (inside,outside) 192.168.2.40 10.10.10.40 netmask 255.255.255.255


means


1) traffic from a source IP on the inside of 10.10.10.40 will be natted to 192.168.2.40 as it leaves the outside interface of the firewall


2) traffic from outside with a destination IP address of 192.168.2.40 will be natted to 10.10.10.40 as it leaves the inside interfade of the firewall



static (outside,inside) 192.168.2.40 10.10.10.40 netmask 255.255.255.255


means


1) traffic from the inside with a destination IP of 192.168.2.40 will be natted to 10.10.10.40 as it leaves the outside interface of the firewall


2) traffic from the outside with a source IP address of 10.10.10.40 will translated to 192.168.2.40 as it leaves the inside interface of the firewall.


If you want to do both simply use 2 statics eg.


src IP on inside = 192.168.10.1

dst IP on inside = 172.16.5.10


src IP on outside = 10.5.1.1

dst IP on outside = 10.10.10.1


static (inside,outside) 10.5.1.1 192.168.10.1 netmask 255.255.255.255


static (outside,inside) 172.16.5.10 10.10.10.1 netmask 255.255.255.255


Does this help ?


Jon

Actions

This Discussion