« Return to Thread: NAT order help
Re: NAT order help
by kevin horvath
::
Rate this Message:
to clarify,
Traffic initiated from the inside (10 net) will map to itself
(identity nat), unless it is tcp traffic destined for 1.1.1.1 then it
will map to 1.1.1.2.
Traffic initiated from the outside to the inside will not matter since
this is where there is no overlapping as the above scenario. Here
traffic destined for 10.x will be translated to itself. The policy
nat in this scenario does not allow traffic initiated from a lower
security interface to a higher security interface as it can only be
done via nat exemption, identity nat, or static nat/pat. I think this
is where the confusion was. Only local traffic can be translated with
Policy NAT (thanks for catching my typo above) not global.
hope this clarifies things.
Kevin
> >
> > >
> > > On 11/6/07, sivakumar <siva_itech@...> wrote:
> > > >
> > > > Hi,
> > > >
> > > > access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
> > > >
> > > > static(inside,ouside) 1.1.1.2 access-list rule1 0 0
> > > > static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
> > > >
> > > > Please tell me which statement will take precedence - policy NAT ot Static
> > > > NAT..
> > > >
> > > > --
> > > > View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213
> > > > Sent from the Firewall Wizards mailing list archive at Nabble.com.
> > > >
> > > > _______________________________________________
> > > > firewall-wizards mailing list
> > > > firewall-wizards@...
> > > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> > > >
> > >
> > >
> > > --
> > > Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
> > > http://www.algosec.com
> > > ******* Firewall Management Made Smarter ******
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards@...
> > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> > >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@...
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
>
>
> --
> Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
> http://www.algosec.com
> ******* Firewall Management Made Smarter ******
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@...
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Traffic initiated from the inside (10 net) will map to itself
(identity nat), unless it is tcp traffic destined for 1.1.1.1 then it
will map to 1.1.1.2.
Traffic initiated from the outside to the inside will not matter since
this is where there is no overlapping as the above scenario. Here
traffic destined for 10.x will be translated to itself. The policy
nat in this scenario does not allow traffic initiated from a lower
security interface to a higher security interface as it can only be
done via nat exemption, identity nat, or static nat/pat. I think this
is where the confusion was. Only local traffic can be translated with
Policy NAT (thanks for catching my typo above) not global.
hope this clarifies things.
Kevin
> >
> > >
> > > On 11/6/07, sivakumar <siva_itech@...> wrote:
> > > >
> > > > Hi,
> > > >
> > > > access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
> > > >
> > > > static(inside,ouside) 1.1.1.2 access-list rule1 0 0
> > > > static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
> > > >
> > > > Please tell me which statement will take precedence - policy NAT ot Static
> > > > NAT..
> > > >
> > > > --
> > > > View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213
> > > > Sent from the Firewall Wizards mailing list archive at Nabble.com.
> > > >
> > > > _______________________________________________
> > > > firewall-wizards mailing list
> > > > firewall-wizards@...
> > > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> > > >
> > >
> > >
> > > --
> > > Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
> > > http://www.algosec.com
> > > ******* Firewall Management Made Smarter ******
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards@...
> > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> > >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@...
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
>
>
> --
> Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
> http://www.algosec.com
> ******* Firewall Management Made Smarter ******
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@...
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
« Return to Thread: NAT order help
| Free embeddable forum powered by Nabble | Forum Help |
