Connecting to a Masqueraded Destination (Destination NAT for Inbound Connection) – Cisco Network Address Translation (NAT)

 

Connecting to a Masqueraded Destination (Destination NAT for Inbound Connection)

When external hosts access any services of your company, they should access through the public IP address of your organization. Any internal addressing scheme must be invisible to the external users. In this section, you learn how to connect to an internal host by using a masqueraded public IP address.

Figure 17-16 illustrates a scenario where an external host connects to an internal DMZ server of a company. When an external host initiates a connection to a masqueraded public address, the threat defense translates the address into an internal original address.

Figure 17-16 Lab Topology to Demonstrate Static NAT for Inbound Traffic

 

 

Configuring a Static NAT Rule

Because in the previous section you created an Auto NAT rule with a dynamic type and analyzed its detailed operation, this section does not duplicate the same procedures for creating a NAT policy from scratch. You can just add a new NAT rule as illustrated in Figure 17-16 and then redeploy the NAT policy. If the policy deployment is successful, the threat defense should let an external host connect to an internal DMZ server using a masqueraded public IP address. Because the threat defense in this case translates a public destination address to an internal address, this translation is known as destination NAT.

Figure 17-17 illustrates a static NAT rule that enables an outside host to connect to a DMZ server (internal IP address 172.16.1.10) via the SSH service (internal port 22) without knowing the internal addressing scheme. The outside host can access the DMZ server only if the outside host uses the masqueraded IP address 203.0.113.2 and port 2200 as its destination.

Figure 17-17 Defining a Static Auto NAT Rule for Inbound Connections

Figure 17-18 shows two rules in a NAT policy; the static Auto NAT rule (bottom) has just been created to translate inbound connections. The dynamic NAT rule (top) was added earlier to translate outbound connections.

Figure 17-18 Dynamic NAT and Static NAT Rules for Outbound and Inbound Traffic

After you add a new NAT rule, you must click the Save button to save the policy. Finally, navigate to Deploy > Deployment to deploy the new NAT policy to your threat defense.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *