Thread: uni-directional nature of hide nat
View Single Post
  #2 (permalink)  
Old 2008-04-15
chillyjim chillyjim is offline
Senior Member
  
Join Date: 2005-08-29
Location: Upstate NY
Posts: 1,632
Rep Power: 5
chillyjim has an average reputation (10+)
Send a message via AIM to chillyjim Send a message via Skype™ to chillyjim
Default Re: uni-directional nature of hide nat
If the policy permits and the real IP address of the host is routeable, then this will work. It's really silly to "hide" a routeable IP address that you are allowing external connections to.

Hide NAT's are uni-directional in origination (Host outbound) static, or one-to-one NATs are by-directional in origination.

So, of my.host has IPA and a hide address of IPh

my.host connects to ftp.site the connection and return path will be on IPh

If outside.site tries to start a connection to IPh it will fail (This is the point of a stateful firewall)

Now if IPA is a routeable address and the policy permits, outside.site can connect to IPA.

If my.host is a static nat (The normal way of doing this) of IPA' then a connection to or from (Assuming policy allows) my.host is possible on IPA'

As for the PIX, before version 7, all connections were NATed. In some cases they were NATed to the same address (e.g. 4.2.2.2 inside 4.2.2.2 outside). This is a rement of the PIXes original function, to provide NAT.

If configured "correctly" you can achieve the same hide-outbound and don't translate-inbound on the PIX and ASA that you describe.

The real question is, what are you trying to accomplish?
Reply With Quote