Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
X NAT
IN 8.4/8.6 Access-list hits after NAT when request comes from lower
to higher. So we would always need Private IP as destination and
Private Port as Destination Port.
Dynamic NAT
✓ Uni-directional (only the source ip is translated when someone goes from segment
LEFT to RIGHT in the parenthesis)
In this example when 74.0.0.0 who is behind outside segment accesses any
destination on the inside segment , the source 74.0.0.0/24 would be
translated to any ip from the pool 192.168.65.150-192.168.65.160. The
Source Port, Destination Port and Destination IP remains unchanged.
However you would additionally need ACL from lower to higher.
✓ Uni-directional (only the source ip is translated when someone goes from segment
LEFT to RIGHT for a particular service. It is used when you want to define a
condition.
In this example when 10.0.0.0 who is behind inside segment accesses any
destination on the outside segment for destination port telnet, the source
10.0.0.0/24 would be translated to any ip from the pool 20.0.0.1-20.0.0.10. The
Source Port, Destination Port and Destination IP remains unchanged.
In this example when 10.0.0.0 who is behind inside segment accesses any
destination on the outside segment for destination port 2323, the source
10.0.0.0/24 would be translated to any ip from the pool 20.0.0.1-20.0.0.10 and the
Destination Port would be translated from 2323 to 23. The Source Port and
Destination IP remains unchanged.
In this example when 74.0.0.0 who is behind outside segment accesses any
destination on the inside segment , the source 74.0.0.0/24 would be
translated to any ip from the pool 192.168.65.150-192.168.65.160 and the
destination port 2323 would change to 23. The Source Port and Destination
IP remains unchanged. However you would additionally need ACL from lower
to higher.
Dynamic PAT
✓ Dynamic PAT translates a group of real addresses to a single mapped address that is
routable on the destination network
✓ Uni-directional (The source ip and the source port no is translated when someone
from the segment LEFT goes to the RIGHT segment.)
For example
host 20.0.0.1
In this example when 10.0.0.0 who is behind inside segment accesses any
destination on the outside segment, the source 10.0.0.0/24 would be
translated to ip 20.0.0.1 and source port no would be randomly assigned.
The destination Port and Destination IP remains unchanged.
✓ Dynamic policy PAT translates a group of real addresses to a single mapped address
that is routable on the destination network
✓ Uni-directional (The source ip and the source port no is translated when someone
from the segment LEFT goes to the RIGHT segment for a particular service
For example
host 20.0.0.1
Static NAT
✓ Static NAT translates a single real address to a single mapped address that is
routable on the destination network
Host 10.0.0.1
host 20.0.0.1
In this example when 10.0.0.1 that is behind inside segment accesses any
destination on the outside segment, the source 10.0.0.1 would be
translated to ip 20.0.0.1. The Source Port, Destination Port and Destination
IP remains unchanged. (LEFT TO RIGHT)
Also when any source from the outside segment accesses the public
translated ip 20.0.0.1 the destination 20.0.0.1 would be translated to
private ip 10.0.0.1 (RIGHT TO LEFT). However you would need an access-list
to permit from a lower security level to a higher security level.
Static PAT
✓ ONLY LEFT to RIGHT or RIGHT TO LEFT Works depending on service type whether its
configured as source or destination.
✓ For example
Host 10.0.0.1
host 20.0.0.1
In the example when 10.0.0.1 who is behind inside accesses any destination
on the outside segment for destination port 23, the source 10.0.0.1 would be
translated to 20.0.0.1. The Source port and Destination port and Destination IP
remains unchanged. This is LEFT to RIGHT so source ip is translated.
✓ Static NAT translates a single real address to a single mapped address that is
routable on the destination network
✓ For example
Host 192.168.65.3
host 74.0.0.3
Object network R4
Host 74.0.0.4
In this example when the source 192.168.65.3 that is behind inside segment
accesses the destination 74.0.0.3 who is on the outside segment, the source
192.168.65.3 would be translated to ip 74.0.0.3 and the destination
74.0.0.4 would be translated to 74.0.0.4. The Source Port and Destination
Port remains unchanged.
Also when the source 74.0.0.4 from the outside segment accesses the public
translated ip 74.0.0.3 the destination 74.0.0.3 would be translated to
private ip 192.168.65.3 and the source would be translated from 74.0.0.4 to
74.0.0.4. However you would need an access-list to permit from a lower
security level to a higher security level.
✓ For example
nat (inside,outside) source static R3real R3public destination static R4int R4real
Host 192.168.65.3
host 74.0.0.3
Host 74.0.0.4
Host 192.168.65.4
In this example when the source 192.168.65.3 that is behind inside segment
accesses the destination R4 locally on 192.168.65.4, the source
192.168.65.3 would be translated to ip 74.0.0.3 and the destination
192.168.65.4 would be translated to 74.0.0.4. The Source Port and
Destination Port remains unchanged.
Also when the source 74.0.0.4 from the outside segment accesses the public
translated ip 74.0.0.3 the destination 74.0.0.3 would be translated to
private ip 192.168.65.3 and the source would be translated from 74.0.0.4 to
192.168.65.4. However you would need an access-list to permit from a
lower security level to a higher security level.