Solved: static nat

Bruce Summers · ‎02-02-2010

when using static identity NAT's, what is the best way to descirbe or read the actual statement. exp:

static (inside,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

I read this as follows:

when traffic is inbound (outside interface) the interface "inside" answers for subnet 10.1.1.0 when traffic is inbound from the outside interface...

is that acurate?

thanks

bruce

Kureli Sankar · ‎02-02-2010

Well, the 10.1.1.0/24 the global address that the firewall is proxy arp for on the outside interface.

If the router on the outside asks "who has 10.1.1.x tell me" the firewall will say "I do. Send to me"

static (inside,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

let me change it as

static (inside,outside) FAKE REAL netmask 255.255.255.0 --- FW will proxy arp for the global/FAKE address on the outside interface.

When traffic arrives on the outside to the FAKE address it is sent to the REAL address on the inside interface.

When the REAL ip from the inside wants to go outside, it will look like the FAKE address on the outside.

In your case the FAKE address is the same as the REAL address and that is called identity NAT.

-KS

View solution in original post

Jon Marshall · ‎02-03-2010

bruce.summers wrote:
when using static identity NAT's, what is the best way to descirbe or read the actual statement.  exp:
 
static (inside,outside) 10.1.1.0  10.1.1.0 netmask 255.255.255.0
 
I read this as follows: 
 
when traffic is inbound (outside interface) the interface "inside" answers for subnet 10.1.1.0 when traffic is inbound from the outside interface...
 
is that acurate?
 
thanks
 
bruce

Bruce

Just to add a different way of looking at it -

static NAT is biderctional so i read it as follows -

1) when a packet with a source IP of 10.1.1.x arrives on the inside interface of the firewall and the destination IP address is routed via the outside interface then leave the source IP unchanged and send the packet out of the outside interface

2) when a packet with a destination IP of 10.1.1.x arrives on the outside interface of the firewall, leave the destination ip address the same and send the packet out of the inside interface

Jon

View solution in original post

Kureli Sankar · ‎02-02-2010

Well, the 10.1.1.0/24 the global address that the firewall is proxy arp for on the outside interface.

If the router on the outside asks "who has 10.1.1.x tell me" the firewall will say "I do. Send to me"

static (inside,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

let me change it as

static (inside,outside) FAKE REAL netmask 255.255.255.0 --- FW will proxy arp for the global/FAKE address on the outside interface.

When traffic arrives on the outside to the FAKE address it is sent to the REAL address on the inside interface.

When the REAL ip from the inside wants to go outside, it will look like the FAKE address on the outside.

In your case the FAKE address is the same as the REAL address and that is called identity NAT.

-KS

Jon Marshall · ‎02-03-2010

bruce.summers wrote:
when using static identity NAT's, what is the best way to descirbe or read the actual statement.  exp:
 
static (inside,outside) 10.1.1.0  10.1.1.0 netmask 255.255.255.0
 
I read this as follows: 
 
when traffic is inbound (outside interface) the interface "inside" answers for subnet 10.1.1.0 when traffic is inbound from the outside interface...
 
is that acurate?
 
thanks
 
bruce

Bruce

Just to add a different way of looking at it -

static NAT is biderctional so i read it as follows -

1) when a packet with a source IP of 10.1.1.x arrives on the inside interface of the firewall and the destination IP address is routed via the outside interface then leave the source IP unchanged and send the packet out of the outside interface

2) when a packet with a destination IP of 10.1.1.x arrives on the outside interface of the firewall, leave the destination ip address the same and send the packet out of the inside interface

Jon