static nat

Answered Question
Feb 2nd, 2010

when using static identity NAT's, what is the best way to descirbe or read the actual statement.  exp:

static (inside,outside) 10.1.1.0  10.1.1.0 netmask 255.255.255.0
I read this as follows:
when traffic is inbound (outside interface) the interface "inside" answers for subnet 10.1.1.0 when traffic is inbound from the outside interface...
is that acurate?
thanks
bruce
Correct Answer by Jon Marshall about 7 years 3 weeks ago

bruce.summers wrote:


when using static identity NAT's, what is the best way to descirbe or read the actual statement.  exp:

static (inside,outside) 10.1.1.0  10.1.1.0 netmask 255.255.255.0
I read this as follows:
when traffic is inbound (outside interface) the interface "inside" answers for subnet 10.1.1.0 when traffic is inbound from the outside interface...
is that acurate?
thanks
bruce


Bruce


Just to add a different way of looking at it -


static NAT is biderctional so i read it as follows -


1) when a packet with a source IP of 10.1.1.x arrives on the inside interface of the firewall and the destination IP address is routed via the outside interface then leave the source IP unchanged and send the packet out of the outside interface


2) when a packet with a destination IP of 10.1.1.x arrives on the outside interface of the firewall, leave the destination ip address the same and send the packet out of the inside interface


Jon

Correct Answer by Kureli Sankar about 7 years 3 weeks ago

Well, the 10.1.1.0/24 the global address that the firewall is proxy arp for on the outside interface.

If the router on the outside asks "who has 10.1.1.x tell me" the firewall will say "I do. Send to me"


static (inside,outside) 10.1.1.0  10.1.1.0 netmask 255.255.255.0


let me change it as


static (inside,outside) FAKE REAL netmask 255.255.255.0  --- FW will proxy arp for the global/FAKE address on the outside interface.


When traffic arrives on the outside to the FAKE address it is sent to the REAL address on the inside interface.


When the REAL ip from the inside wants to go outside, it will look like the FAKE address on the outside.


In your case the FAKE address is the same as the REAL address and that is called identity NAT.


-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Kureli Sankar Tue, 02/02/2010 - 20:26

Well, the 10.1.1.0/24 the global address that the firewall is proxy arp for on the outside interface.

If the router on the outside asks "who has 10.1.1.x tell me" the firewall will say "I do. Send to me"


static (inside,outside) 10.1.1.0  10.1.1.0 netmask 255.255.255.0


let me change it as


static (inside,outside) FAKE REAL netmask 255.255.255.0  --- FW will proxy arp for the global/FAKE address on the outside interface.


When traffic arrives on the outside to the FAKE address it is sent to the REAL address on the inside interface.


When the REAL ip from the inside wants to go outside, it will look like the FAKE address on the outside.


In your case the FAKE address is the same as the REAL address and that is called identity NAT.


-KS

Correct Answer
Jon Marshall Wed, 02/03/2010 - 03:27

bruce.summers wrote:


when using static identity NAT's, what is the best way to descirbe or read the actual statement.  exp:

static (inside,outside) 10.1.1.0  10.1.1.0 netmask 255.255.255.0
I read this as follows:
when traffic is inbound (outside interface) the interface "inside" answers for subnet 10.1.1.0 when traffic is inbound from the outside interface...
is that acurate?
thanks
bruce


Bruce


Just to add a different way of looking at it -


static NAT is biderctional so i read it as follows -


1) when a packet with a source IP of 10.1.1.x arrives on the inside interface of the firewall and the destination IP address is routed via the outside interface then leave the source IP unchanged and send the packet out of the outside interface


2) when a packet with a destination IP of 10.1.1.x arrives on the outside interface of the firewall, leave the destination ip address the same and send the packet out of the inside interface


Jon

Actions

This Discussion