Nat rules on firewall

Answered Question
Nov 10th, 2009

Experts, please assist to understand the below statements from a firewall.

+++++++++++++++++++++++++++++++++++

sh running-config nat

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

sh running-config global

global (dmz) 2 Test_PC-10.11.2.3

global (outside) 1 interface

access-list inside_nat0_outbound line 34 extended permit ip Site2_Net 255.255.0.0 host WebServer_Test

_________________________________

I understand that nat(inside) is used to sort of pat anything from inside network to the public ip on external interface.

Correct me if wrong.

But i am loggerheads to understand the statement with nat0 as well as the acl that refers it.

Please suggest.

Thanks!

I have this problem too.
0 votes
Correct Answer by Panos Kampanakis about 7 years 3 weeks ago

Q1: If the server was a return path back to the untranslated ip address then it won't harm.

Q2: It applies to all traffic that hit the inside interface and matches the ACL.

PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Panos Kampanakis Tue, 11/10/2009 - 06:53

nat0 means that this traffic will not be translated and will go out without changing the ip address.

In your case whatever packet hit the inside interface and matches the ACL inside_nat0_outbound will go out untranslated.

I hope it helps.

PK

suthomas1 Tue, 11/10/2009 - 07:20

Thanks!with this understanding,the WebServer_Test sits on an isolated dmz zone. Now if another user segment from the inside segment tries to access this server, shouldnt it also be included in the untranslated list or maybe it will get translated with the public ip while on the way to reach server.

Another query, is will this untranslated statement apply to all interfaces & how is it processed in order, as the local ip may already get translated with the public ip before reaching the server.

Appreciate your help!

Correct Answer
Panos Kampanakis Tue, 11/10/2009 - 12:10

Q1: If the server was a return path back to the untranslated ip address then it won't harm.

Q2: It applies to all traffic that hit the inside interface and matches the ACL.

PK

Actions

This Discussion