Re: [fw-wiz] NAT order help



If your intention is just to do regular PAT where you have a block of
internal addresses all translating out to one IP then all you have to
do is
# nat (inside) 1 10.0.0.0 255.0.0.0
# global (outside) 1 1.1.2

-Now if you do this then it will not allow traffic initiated from your
outside interface (lower security) to your inside interface (higher
security). If you need this for example you are hosting a web server
that you want people on the internet to access then you will have to
do a static PAT (if you only have one IP to traslate that is).
Otherwise you could just to a regular static NAT.


On Nov 14, 2007 8:36 AM, sivakumar <siva_itech@xxxxxxxxx> wrote:

Hi,

Thanks for your reply. Is my rule for Static PAT right or i need to
specify TCP/UDP ports to do a PAT? Is it possible to translate multiple ip's
from inside to a single ip outside using static. Please let me know since i
couldn't find in Cisco Docs saying any Static PAT like that rather they do
perform redirection on ports.



kevin horvath wrote:

to clarify,

Traffic initiated from the inside (10 net) will map to itself
(identity nat), unless it is tcp traffic destined for 1.1.1.1 then it
will map to 1.1.1.2.

Traffic initiated from the outside to the inside will not matter since
this is where there is no overlapping as the above scenario. Here
traffic destined for 10.x will be translated to itself. The policy
nat in this scenario does not allow traffic initiated from a lower
security interface to a higher security interface as it can only be
done via nat exemption, identity nat, or static nat/pat. I think this
is where the confusion was. Only local traffic can be translated with
Policy NAT (thanks for catching my typo above) not global.

hope this clarifies things.

Kevin



On 11/6/07, sivakumar <siva_itech@xxxxxxxxx> wrote:

Hi,

access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1

static(inside,ouside) 1.1.1.2 access-list rule1 0 0
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

Please tell me which statement will take precedence - policy NAT ot
Static
NAT..

--
View this message in context:
http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213
Sent from the Firewall Wizards mailing list archive at Nabble.com.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



--
Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
http://www.algosec.com
******* Firewall Management Made Smarter ******
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



--
Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
http://www.algosec.com
******* Firewall Management Made Smarter ******
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



--
View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13746694

Sent from the Firewall Wizards mailing list archive at Nabble.com.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Order significance for PIX nat / global statements?
    ... >> Studying PIX firewall configuration I'm confused by some contradictions ... > addition to the two nat statements shown above. ... >> PAT address pool? ... > The PIX will NAT first, then PAT. ...
    (comp.security.firewalls)
  • Re: Dynamic and static NAT
    ... PAT so that internal hosts can get out but I want to be able to ssh ... Here is an example config. ... ip nat inside source static udp 10.88.3.130 64328 ... "The Libel Terrorism Protection Act". ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] PIX to ASA VPN using PAT
    ... Use the IP address out of your NAT or PAT fur you crypto map. ... description the devices on end of tunnel ... My side of the network is NAT'd, so I want to allow one specific host from my inside network to get out out through the tunnel to their network. ...
    (Firewall-Wizards)
  • Re: PIX and Linksys Quick VPN Question
    ... except from my workplace that is behind a PIX firewall. ... What ports ... Not compatible with PAT or Network Address Translation ... Requires that NAT-T be configured; ...
    (comp.dcom.sys.cisco)
  • Re: GEN-DE How to read German Script
    ... Pat, also, if you have a document that you can post somewhere, you can people here for help in transcribing and translating it. ... My Database – http://wc.rootsweb.com/~monahouser ...
    (soc.genealogy.german)