Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

static nat

when using static identity NAT's, what is the best way to descirbe or read the actual statement.  exp:

static (inside,outside) 10.1.1.0  10.1.1.0 netmask 255.255.255.0
I read this as follows:
when traffic is inbound (outside interface) the interface "inside" answers for subnet 10.1.1.0 when traffic is inbound from the outside interface...
is that acurate?
thanks
bruce
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: static nat

Well, the 10.1.1.0/24 the global address that the firewall is proxy arp for on the outside interface.

If the router on the outside asks "who has 10.1.1.x tell me" the firewall will say "I do. Send to me"

static (inside,outside) 10.1.1.0  10.1.1.0 netmask 255.255.255.0

let me change it as

static (inside,outside) FAKE REAL netmask 255.255.255.0  --- FW will proxy arp for the global/FAKE address on the outside interface.

When traffic arrives on the outside to the FAKE address it is sent to the REAL address on the inside interface.

When the REAL ip from the inside wants to go outside, it will look like the FAKE address on the outside.

In your case the FAKE address is the same as the REAL address and that is called identity NAT.

-KS

Hall of Fame Super Blue

Re: static nat

bruce.summers wrote:

when using static identity NAT's, what is the best way to descirbe or read the actual statement.  exp:

static (inside,outside) 10.1.1.0  10.1.1.0 netmask 255.255.255.0
I read this as follows:
when traffic is inbound (outside interface) the interface "inside" answers for subnet 10.1.1.0 when traffic is inbound from the outside interface...
is that acurate?
thanks
bruce

Bruce

Just to add a different way of looking at it -

static NAT is biderctional so i read it as follows -

1) when a packet with a source IP of 10.1.1.x arrives on the inside interface of the firewall and the destination IP address is routed via the outside interface then leave the source IP unchanged and send the packet out of the outside interface

2) when a packet with a destination IP of 10.1.1.x arrives on the outside interface of the firewall, leave the destination ip address the same and send the packet out of the inside interface

Jon

2 REPLIES
Cisco Employee

Re: static nat

Well, the 10.1.1.0/24 the global address that the firewall is proxy arp for on the outside interface.

If the router on the outside asks "who has 10.1.1.x tell me" the firewall will say "I do. Send to me"

static (inside,outside) 10.1.1.0  10.1.1.0 netmask 255.255.255.0

let me change it as

static (inside,outside) FAKE REAL netmask 255.255.255.0  --- FW will proxy arp for the global/FAKE address on the outside interface.

When traffic arrives on the outside to the FAKE address it is sent to the REAL address on the inside interface.

When the REAL ip from the inside wants to go outside, it will look like the FAKE address on the outside.

In your case the FAKE address is the same as the REAL address and that is called identity NAT.

-KS

Hall of Fame Super Blue

Re: static nat

bruce.summers wrote:

when using static identity NAT's, what is the best way to descirbe or read the actual statement.  exp:

static (inside,outside) 10.1.1.0  10.1.1.0 netmask 255.255.255.0
I read this as follows:
when traffic is inbound (outside interface) the interface "inside" answers for subnet 10.1.1.0 when traffic is inbound from the outside interface...
is that acurate?
thanks
bruce

Bruce

Just to add a different way of looking at it -

static NAT is biderctional so i read it as follows -

1) when a packet with a source IP of 10.1.1.x arrives on the inside interface of the firewall and the destination IP address is routed via the outside interface then leave the source IP unchanged and send the packet out of the outside interface

2) when a packet with a destination IP of 10.1.1.x arrives on the outside interface of the firewall, leave the destination ip address the same and send the packet out of the inside interface

Jon

211
Views
0
Helpful
2
Replies
CreatePlease to create content