Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
888
Views
0
Helpful
11
Replies

Static NAT - make my ip address appear as something else

John Peterson
Level 1
Level 1

‎12-01-2011 01:34 PM - edited ‎03-11-2019 02:58 PM

Hi,

I have a firewall which is conntect to a Cisco 870 router.

The router only allows one ip address to ssh into and it which is 7.7.7.7 but the interface which is connected to the router is on the firewall is a 2.2.2.2 and the router interface is a 2.2.2.1.

I can ping the router from the inside of my firewall, but I can't ssh into it at is has a access list which will only allow ssh from the ip address 7.7.7.7.

Would it be possible to do a static NAT which can translate the 2.2.2.2 to a 7.7.7.7 when I ssh into the router when coming from the inside?

Thanks

Labels:
0 Helpful
11 Replies 11

Julio Carvajal
VIP Alumni
VIP Alumni

‎12-01-2011 01:50 PM

Hello John,

I would recoomend to instead use a host on the inside or dmz ( if you have one) interface, natted into 7.7.7.7, then get access into the router and allow ssh communications from 2.2.2.2 as well.

Hope this helps.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

John Peterson
Level 1
Level 1
In response to Julio Carvajal

‎12-01-2011 01:58 PM

Hi,

Thanks I can use a host with the ip address of 192.168.10.1 which is the inside of my LAN.

The problem I have is i'm not sure my cmd is correct:

static(inside,outside) 7.7.7.7 eq 22 192.168.10.1 eq 22 netmask 255.255.255.255

Would this be correct, I ONLY want the ssh traffic to be applied in the static nat hence the port 25?

Thanks

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to John Peterson

‎12-01-2011 02:27 PM

Hello,

The router its on the outside of your network right ?Inside-ASA-----Outside--Router---Internet

In fact you do not need a static, because static is a permanent biderectional translation and in this case all you need is to nat the internal host to a specific IP address when it reaches the Router on the outside so lest use a  Global Policy Nat.

So lets make this works:

access-list TEST permit tcp host 192.168.10.1 host 2.2.2.1 eq 22

Nat (inside) 17 access-list TEST

Global (outside) 17 7.7.7.7

Please rate helpful posts,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

John Peterson
Level 1
Level 1
In response to Julio Carvajal

‎12-01-2011 02:31 PM

Thats correct,

I'm not able to use a global nat as its already in use, I guess a static nat was take pressedance over global nat.

I also have a failover interface which is currently being used.

Is there a way where i can use a static nat?

Thanks

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to John Peterson

‎12-01-2011 02:47 PM

Hello John,

Of course you can use the static nat in this situation, that was just an advise, Also remember that it does not matter if you are using a globat nat already, the more specific nat entry of the globals will take precedence , in our case this one will take it.

but do not worry lets use a static if you want.but that will make the host to use that ip address on all of his connections.

NOTE:(Port-forwarding is just for inbound connections)

access-list TEST permit tcp host 192.168.10.1 host 2.2.2.1 eq 22

static (inside,outside)  7.7.7.7 access-list TEST

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

John Peterson
Level 1
Level 1
In response to Julio Carvajal

‎12-01-2011 03:07 PM

Hi Julio,

What this static nat be applied for all the connection of the host?

I only want the nat to be applied when i ssh into the 7.7.7.7 address?

Thanks

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to John Peterson

‎12-01-2011 03:17 PM

Hello John,

Can you take a look at the ACL, there is your answer.

Only for the destination 2.2.2.2 on port 22 (Static Policy  Nat)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

John Peterson
Level 1
Level 1
In response to Julio Carvajal

‎12-01-2011 03:18 PM

Thanks Julio,

I will try and post back.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to John Peterson

‎12-01-2011 03:24 PM

Hello John

Sure, I will be waiting.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

John Peterson
Level 1
Level 1
In response to Julio Carvajal

‎12-01-2011 03:31 PM

Sorry I meant, I will try it in the morning and let you know 2morr night.

Quick question, How do you learn so much, I want to be like you and be very good and firewall, can you help me?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to John Peterson

‎12-01-2011 03:37 PM

Hello John,

Thanks for that comments, its all about love what you do, research on every topic and going for certifications that will improve your performance as a Security Tech.

See ya tomorrow.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card