cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor

Static one to one NAT

Jump to solution

Using the GUI. I attempted the following:

Create a one to one NAT Translation for both inbound and outbound traffic for an internal server on one of my vlans. I went into the DATA:FIREWALL and selected security zones. I then selected Public and added the following policies:

1. I created a static one to one inbound NAT Pool.

2. I created a static one to one outbound NAT Pool

3. I created a allow all policy.

Here is the config portion that pertains to that:

!

ip access-list extended web-acl-10

  remark POB SERVER ALLOW

  permit ip any host 12.69.x.x

!

ip access-list extended web-acl-11

  remark POB SERVER OUT

  permit ip any any

!

ip access-list extended web-acl-9

  remark POB SERVER

  permit ip any any

!

!

ip nat pool web-nat-pool-1 static

  local 12.69.x.x 12.69.x.x global 172.16.1.50 172.16.1.50

!

ip nat pool web-nat-pool-2 static

  local 172.16.1.50 172.16.1.50 global 12.69.x.x 12.69.x.x

!

ip policy-class Private

  allow list self self

  nat source list wizard-ics interface eth 0/0 overload

!

ip policy-class Public

  nat destination list web-acl-9 pool web-nat-pool-1

  allow list web-acl-10

  nat source list web-acl-11 pool web-nat-pool-2

!

Is this correct? Will this work or should I have done it a different way?

Thanks,

Message was edited by: matt - removed public IPs

Labels (2)
0 Kudos
1 Solution

Accepted Solutions
Highlighted
Anonymous
Not applicable

Re: Static one to one NAT

Jump to solution

I would recommend configuring a 1:1 NAT as outlined in the guide instead of using NAT pools.  Page 40 of the PDF has the following example:


Example 9 - One-to-One NAT


In this example, two separate one-to-one NAT rules are created for two servers on the private side of the AOS firewall. To accomplish this, the public IPv4 addresses that are used to access the servers (208.61.209.1 and 208.61.209.2) must be applied as secondary addresses to the WAN interface (PPP 1). On the Public ACP, nat destination list commands are used to match any traffic destined to these public IPv4 addresses and direct it to the corresponding internal servers (192.168.1.2 and 192.168.1.3). In the Private ACP, nat source list commands are used to match any traffic sourced from the specified servers and change its source address to the corresponding public IPv4 address. Any traffic not matching the first two NAT statements is caught by the catch-all NAT statement that provides Internet access to all of the other hosts on the LAN with the address 65.162.109.202. Administrative access is allowed for HTTPS and SSH by the Public ACP with the allow statement referencing web-acl-3. Administrative access is allowed on all available servers from the Private ACP with the allow list self self command because it references an ACL that matches all traffic.



one-to-one nat.jpg



!


ip firewall


!


interface eth 0/1


  ip address 192.168.1.1 255.255.255.0


  access-policy Private


  no shutdown


!


interface t1 1/1


  tdm-group 1 timeslots 1-24 speed 64


  no shutdown


!


interface ppp 1


  ip address 65.162.109.202 255.255.255.252


  ip address 208.61.209.1 255.255.255.255 secondary


  ip address 208.61.209.2 255.255.255.255 secondary


  access-policy Public


  no shutdown


  cross-connect 1 t1 1/1 1 ppp 1


!


ip access-list standard wizard-ics


  remark Internet Connection Sharing


  permit any


!


ip access-list extended self


  remark Traffic to NetVanta


  permit ip any any log


!


ip access-list extended web-acl-3


  permit tcp any any eq https


  permit tcp any any eq ssh


!


ip access-list extended web-acl-4


  remark 1:1 NAT 208.61.209.1 > 192.168.1.2


  permit ip any host 208.61.209.1


!


ip access-list extended web-acl-5


  remark 1:1 NAT 192.168.1.2 > 208.61.209.1


  permit ip host 192.168.1.2 any


!


ip access-list extended web-acl-6


  remark 1:1 NAT 208.61.209.2 > 192.168.1.3


  permit ip any host 208.61.209.2


!


ip access-list extended web-acl-7


  remark 1:1 NAT 192.168.1.3 > 208.61.209.2


  permit ip host 192.168.1.3 any


!


ip policy-class Private


  allow list self self


  nat source list web-acl-5 address 208.61.209.1 overload


  nat source list web-acl-7 address 208.61.209.2 overload


  nat source list wizard-ics interface ppp 1 overload


!


ip policy-class Public


  nat destination list web-acl-4 address 192.168.1.2


  nat destination list web-acl-6 address 192.168.1.3


  allow list web-acl-3 self


!


ip route 0.0.0.0 0.0.0.0 ppp 1


!


Thanks,

Matt

View solution in original post

0 Kudos
1 Reply
Highlighted
Anonymous
Not applicable

Re: Static one to one NAT

Jump to solution

I would recommend configuring a 1:1 NAT as outlined in the guide instead of using NAT pools.  Page 40 of the PDF has the following example:


Example 9 - One-to-One NAT


In this example, two separate one-to-one NAT rules are created for two servers on the private side of the AOS firewall. To accomplish this, the public IPv4 addresses that are used to access the servers (208.61.209.1 and 208.61.209.2) must be applied as secondary addresses to the WAN interface (PPP 1). On the Public ACP, nat destination list commands are used to match any traffic destined to these public IPv4 addresses and direct it to the corresponding internal servers (192.168.1.2 and 192.168.1.3). In the Private ACP, nat source list commands are used to match any traffic sourced from the specified servers and change its source address to the corresponding public IPv4 address. Any traffic not matching the first two NAT statements is caught by the catch-all NAT statement that provides Internet access to all of the other hosts on the LAN with the address 65.162.109.202. Administrative access is allowed for HTTPS and SSH by the Public ACP with the allow statement referencing web-acl-3. Administrative access is allowed on all available servers from the Private ACP with the allow list self self command because it references an ACL that matches all traffic.



one-to-one nat.jpg



!


ip firewall


!


interface eth 0/1


  ip address 192.168.1.1 255.255.255.0


  access-policy Private


  no shutdown


!


interface t1 1/1


  tdm-group 1 timeslots 1-24 speed 64


  no shutdown


!


interface ppp 1


  ip address 65.162.109.202 255.255.255.252


  ip address 208.61.209.1 255.255.255.255 secondary


  ip address 208.61.209.2 255.255.255.255 secondary


  access-policy Public


  no shutdown


  cross-connect 1 t1 1/1 1 ppp 1


!


ip access-list standard wizard-ics


  remark Internet Connection Sharing


  permit any


!


ip access-list extended self


  remark Traffic to NetVanta


  permit ip any any log


!


ip access-list extended web-acl-3


  permit tcp any any eq https


  permit tcp any any eq ssh


!


ip access-list extended web-acl-4


  remark 1:1 NAT 208.61.209.1 > 192.168.1.2


  permit ip any host 208.61.209.1


!


ip access-list extended web-acl-5


  remark 1:1 NAT 192.168.1.2 > 208.61.209.1


  permit ip host 192.168.1.2 any


!


ip access-list extended web-acl-6


  remark 1:1 NAT 208.61.209.2 > 192.168.1.3


  permit ip any host 208.61.209.2


!


ip access-list extended web-acl-7


  remark 1:1 NAT 192.168.1.3 > 208.61.209.2


  permit ip host 192.168.1.3 any


!


ip policy-class Private


  allow list self self


  nat source list web-acl-5 address 208.61.209.1 overload


  nat source list web-acl-7 address 208.61.209.2 overload


  nat source list wizard-ics interface ppp 1 overload


!


ip policy-class Public


  nat destination list web-acl-4 address 192.168.1.2


  nat destination list web-acl-6 address 192.168.1.3


  allow list web-acl-3 self


!


ip route 0.0.0.0 0.0.0.0 ppp 1


!


Thanks,

Matt

View solution in original post

0 Kudos