Firewall static rule configuration

Unanswered Question
Jul 12th, 2009
User Badges:

Hi,

I have very basic doubt about firewall static rule configuration.

When we configure a static rule to allow connections originated from out side world to inside world on that particulart port and on that particular IP address.

For example : Public ip Address :A.B.C.D and port : 80.

Internal server : 10.1.1.1 which responds to user request.


Outside = A.B.C.D on Port 80.

Redirected to 10.1.1.1 on inside zone with port 80.

Access list on outside permits user request from anywhere on A.B.C.D with port 80.

Now when 10.1.1.1 returns the user request how does inside interface behaves?


We have NOT configured NAT-global configuration to access internet from inside, as users are not allowed to browse internet. Only users from outside shoud be able to visit the web server.

Will the corresponding permit access list gets applied to inside interface.

That means if user initiates a internet connection from 10.1.1.1 ( that is from inside host ) will he be able to browse internet. Although there no configuration by ( NAT-global ).

Please share experience.

Thanks in adavnce.

Subodh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Sun, 07/12/2009 - 08:13
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Subodh


If i understand your question correctly then the answer is that a static NAT translation is bi-directional ie.


static (inside,outside) 195.17.17.1 10.1.1.1 netmask 255.255.255.255


means any traffic from outside coming to 195.17.17.1 will be translated to 10.1.1.1 on the inside.


But it also means any traffic coming from 10.1.1.1 on the inside will be translated to 195.17.17.1 on the outside.


So from the outside the destination IP is changed from 195.17.17.1 to 10.1.1.1


From the inside the source IP is changed from 10.1.1.1 to 195.17.17.1


Does this naswer your question ?


Jon

bapatsubodh Sun, 07/12/2009 - 09:07
User Badges:

Hi,

Thanks Jon.Marshall, you have answered my question exactly. That indirectly means traffic from 10.1.1. to Out-side_world_Address will be allowed by corresponding access-list applied on interface.

Thanks

subodh

Actions

This Discussion