only NAT outside addresses are seen from outside.. NAT inside addresses are hidden from the external network.. But there are chances that there are some junk/vulnerable packets (some attacks etc), come into your network from the ISP. These packets are anyway blocked on your router, which makes your network secure.. so, here you have a private IP getting PATed to a public IP (dialer interface) and make browsing happen..
the traffic goes only from inside to outside.. traffic from outside to inside, is normally dropped, since you dont have any STATIC NAT configured which publishes your internal server/pc..
hope this helps.. all the best.. rate replies if found useful..
I think the reason why the log shows you the private address insteed of your WAN address, is something to do with NAT order of operations.
When the packet arrives the router first chexk any access-list, then NAT's the WAN ip to the 10.10.10.4, afterwards the router decieds to make the CBAC (Inspect), and this is where it finds out it wants to throw the packet away. I'm not sure why it throws it away, maybe because some timer is set to low, or the packet isn't what it appeared to be.
For further clarification check this link out, expically the column "Outside-to-Inside".
assuming that you have in your cbac only two interfaces inside and outside no DMZ!!!
i would like to suggest :
1-the vty access-list must be applied on VLAN inbound, to prevent any spoofing of your 10.10... network.
2-the access-list 2000 is good it will allow what must be allowed from outside to your network and at the same time it implement the RFC 2829, so it s placed in the right place dialer inbound.
3-the MARSFW inspection rule must be applied on vlan 1 inbound and removed from dialer0, this inspection rule will create the statefull database and dynamic entries those entries will be appended to your access-list 2000 the puporse of those dynamic entries is to allow the returned traffic for the session initiated from your internal network to the outside network.
4- the nat configuratiion is correct! must work!!.
5- but i dont see any inpspection for your HTTP traffic in the inspection RULE so it will be dropped automaticaly i think!!!, suggestion try to add to the inspection rule
(ip inspect MARSFW http)
also if your are using port 8080 for http instead of 80 use :
3. Please check your information. I've talked to Cisco TAC, they inform me the FW inspect rule should be on Dialer 0 out. When traffic is initiated from inside CBAC creates session entry in the state table which is used in conjunction with ACL in.
for the point number 5 i quit agree i didnt see it!!!
for the point 3, as i mentionned in my last post you can configure the inspection rule on the interface closed to the source of your outbound traffic going to the internet but dont forget i ve mentionned in the INBOUND (in) direction is still correct!!
however what TAC said is correct too since is applied in the OUTBOUND (out) direction!!
the chalenge here is which one is the best???
in your case just one exit interface is perfect both options can work without heavy work.
but imagine you have 3 or 4 interface to the internet you dont know which one will be used for the outbound traffic going to the internet so if we choose the solution of the TAC here you need to apply your inspection rule in the outbound direction on the 3 or 4 interface ,you have to hard code it tree or four times , but if we chose the the other option you will apply you inspection only ONCE!!! it will work for all the exits interfaces!!!
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...