Thread: strange working of static nat
View Single Post
  #4 (permalink)  
Old 2008-04-15
mcnallym mcnallym is online now
Senior Member
  
Join Date: 2007-06-04
Posts: 1,027
Rep Power: 3
mcnallym has an average reputation (10+)
Default Re: strange working of static nat
When you use Automatic NAT then the one object contains the public AND the private IP address.

As such if you take your MailServer give the object an IP of 10.10.10.10 and then automatic Static NAT to 40.40.40.40, then whereever you use the object MailServer there are actually two IP addresses included in the security policy.

From the Internet then the policy will match with the 40.40.40.40 address. Whilst from your public IP range you can access the internal 10.10.10.10 as well, that is not routable over the Internet so if someone from another public net attempted to access you as 10.10.10.10 it would not be routed to your Firewall, but get dropped as not a public IP.

As such your rules looks like

Src = Any
Dst = MailServer (10.10.10.10)(40.40.40.40)
Srv = SMTP
Action = Accept

Src = MailServer (10.10.10.10)(40.40.40.40)
Dst = Any
Srv = SMTP
Action = Accept

This is why you can use the same object for the public and private address.

The alternative is to use Manual NAT and use two objects MailServer_Internal (10.10.10.10)
MailServer_External (40.40.40.40)

Your rules would now need to be

Src = Any
Dst = MailServer_External (40.40.40.40)
Srv = SMTP

Src = MailServer_Internal (10.10.10.10)
Dst = Any
Srv = SMTP
Last edited by mcnallym; 2008-04-15 at 05:35.
Reply With Quote