Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Static in, global out? (NAT)

Hello

I'm curious if its possible to use a static (inside,outside) for my server to receive connections from the outside, but reply with my global NAT IP?

Example

Server1 : 10.10.10.10

Public IP : 20.20.20.20

static (inside,outside) 20.20.20.20 10.10.10.10

access-lists are opened etc.

How can I control the NAT procedure to disable the server responce from being NAT'ed to the static. And being NAT'ed through my global statement instead?

I've scanned through the cisco NAT documentation but I might have missed it.

Thank you!

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: Static in, global out? (NAT)

AFAIK you can't do this because the static statement is bi-directional so it applies both to the inbound and outbound traffic.

Jon

New Member

Re: Static in, global out? (NAT)

No, it can't - not over the same connection (TCP stream). The server can reply via the same NAT'd IP and port and tell the client to connect to a different IP address/port. Or, the server can ask the client what address IT is listening on, and connect to the client on that port via a different NAT'd address. That's kind of what FTP does with port 20/21.

HTH,

Fred Reimer

Senior Network Engineer

Coleman Technologies, Inc.

11 REPLIES
Hall of Fame Super Blue

Re: Static in, global out? (NAT)

AFAIK you can't do this because the static statement is bi-directional so it applies both to the inbound and outbound traffic.

Jon

New Member

Re: Static in, global out? (NAT)

Thank you Jon

Thought it was the case.

New Member

Re: Static in, global out? (NAT)

If I understand you correctly, you can't. The station out on the Internet thinks it is talking to your server via the public IP address in the static. If your server response is NAT'd to a different IP address the station on the Internet won't know anything about a connection to this different IP address, and will discard the packet. You can have all kinds of NAT between two systems, but at each end the source and destination IP addresses must match and be consistent. If server 1 thinks it is talking to 10.10.10.10 it HAS to get a response from 10.10.10.10 when the packet finally reaches server 1.

Now you can static PAT a specific port for a server, so that inbound connections to say port 80 for web traffic go to the server static IP address, but that any communications from the server out to other Internet hosts go out the global NAT/PAT address. However, even in this situation, traffic to/from the server on that specific port would be consistent.

So, I'm not sure what you're looking for. If it is as you describe, then it is not possible, but I think you may actually be looking for static PAT.

Fred Reimer

Senior Network Engineer

Coleman Technologies, Inc.

Silver

Re: Static in, global out? (NAT)

What you're asking from can not be done with

ASA but it can be done with Checkpoint. So the

answer is it depends on the vendor(s)

New Member

Re: Static in, global out? (NAT)

How does the checkpoint do it?

New Member

Re: Static in, global out? (NAT)

No it can't. It doesn't matter what firewall vendor you use, if the response to the outside endpoint isn't the same IP address and port by the time it reaches the endpoint the packets will be discarded as not matching any open sockets.

Thanks,

Fred Reimer

Senior Network Engineer

Coleman Technologies, Inc.

New Member

Re: Static in, global out? (NAT)

edited,

New Member

Re: Static in, global out? (NAT)

I saw the message you posted and then retracted. What you want is what I mentioned before, static PAT.

static (inside,outside) tcp outsideip 80 insideip 80

That would allow communications with your insideip server via outsideip on port 80, but any other traffic originated by your server would follow your normal nat/global commands, which are probably:

nat (inside) 1 0 0

global (outside) 1 interface

HTH,

Fred Reimer

Senior Network Engineer

Coleman Technologies, Inc.

New Member

Re: Static in, global out? (NAT)

Yes fred, thats correct.

On a more theory level, isnt it possible for a server app/program that in the communication that the internal server informs the connecting IP/PC that return traffic will come from another IP ?

But the program handles the sockets/connections?

Do I make sense?

New Member

Re: Static in, global out? (NAT)

No, it can't - not over the same connection (TCP stream). The server can reply via the same NAT'd IP and port and tell the client to connect to a different IP address/port. Or, the server can ask the client what address IT is listening on, and connect to the client on that port via a different NAT'd address. That's kind of what FTP does with port 20/21.

HTH,

Fred Reimer

Senior Network Engineer

Coleman Technologies, Inc.

New Member

Re: Static in, global out? (NAT)

Thank you Fred, you made sense.

Thanks

169
Views
0
Helpful
11
Replies
CreatePlease to create content