05-29-2018 05:24 AM
I have a pretty good understanding of the difference between SRC and DST Nat, but there is one area that I could use some clarification on.
With SRC NAT, I understand that by selecting BI-Directional, it allows an IP to be translated to an outside address and that Bi-Directional created an implied policy so that someone on the outside could initiate traffic back to the machine from the outside. It sounds like a good use case would be when the inside machine needs access to the outside and also requires the ability for someone on the outside to connect to it.
Wit DST NAT, I understand that it uses both the untrust (outside) zone for both the source and destination Zone and that you use a translated address to get it to the proper machine hosted in another zone. My question is does the use of DST NAT still allow the machine/server to originate traffic outbound? For example, if you used DST NAT to provide access to a machine in a DMZ, can that machine initiate traffic to the outside, or does it only allow inbound traffic?
I appreciate any feedback you can provide.
Thanks.
05-29-2018 06:22 AM
Hi @sgoethals
All NAT policies are unidirectional in nature (save for reply packets belonging to a session that was inituially started in the appropriate direction)
Hence, the option to either use an inbound and outbound policy, or use the bi-directional option which creates an implied policiy to take the role of the otherwise explicit destination policy you would create
If you do not use the bi-directional option, you will need to create both an inbound and an outbound policy (this is preferred as it provides better visibility of the policies in use) if your server also needs to connect out
A common 'hybrid' is to have several unique inbound policies for different servers/ports and have a 'hide' nat sourcenat outbound for all outbound connections.
This is applied when each individual sertver does not require a unique IP when going out to the internet.
05-29-2018 07:19 AM
Hi @sgoethals
no I do mean the actual representation of the policies as they are all visible to you for inspection. Logs will contain all the same information
the bi-directional rules are invisoble so you may 'forget' they exist
they also drop some parameters to allow for dynamically creating a policy that matches outbound traffic
eg. outbound trust to untrust, 192.168.0.1 translated to 198.51.100.1
bi-dir : any to untrust , 198.51.100.1 to 192.168.0.1
admin@PA-220> show running nat-policy
"outbound; index: 1" {
nat-type ipv4;
from trust;
source 192.168.0.1;
to untrust;
to-interface ethernet1/3 ;
destination any;
service 0:any/any/any;
translate-to "src: 195.51.100.1 (static-ip) (pool idx: 1)";
terminal no;
}
"outbound; index: 2" {
nat-type ipv4;
from any;
source any;
to untrust;
to-interface ethernet1/3 ;
destination 195.51.100.1;
service 0:any/any/any;
translate-to "dst: 192.168.0.1";
terminal no;
}
This may be an important factor to consider
05-29-2018 06:22 AM
Hi @sgoethals
All NAT policies are unidirectional in nature (save for reply packets belonging to a session that was inituially started in the appropriate direction)
Hence, the option to either use an inbound and outbound policy, or use the bi-directional option which creates an implied policiy to take the role of the otherwise explicit destination policy you would create
If you do not use the bi-directional option, you will need to create both an inbound and an outbound policy (this is preferred as it provides better visibility of the policies in use) if your server also needs to connect out
A common 'hybrid' is to have several unique inbound policies for different servers/ports and have a 'hide' nat sourcenat outbound for all outbound connections.
This is applied when each individual sertver does not require a unique IP when going out to the internet.
05-29-2018 06:37 AM
Hi @reaper,
Thanks for the reply and the explanation. This helps. When you state that creating an inbound and outbound policy provides more visibility, I assume you are referring to the ability to view more detailed information as a result of logs.
As for security, is there any difference between using either bi-directional or creating separate inbound and outbound policies?
05-29-2018 07:19 AM
Hi @sgoethals
no I do mean the actual representation of the policies as they are all visible to you for inspection. Logs will contain all the same information
the bi-directional rules are invisoble so you may 'forget' they exist
they also drop some parameters to allow for dynamically creating a policy that matches outbound traffic
eg. outbound trust to untrust, 192.168.0.1 translated to 198.51.100.1
bi-dir : any to untrust , 198.51.100.1 to 192.168.0.1
admin@PA-220> show running nat-policy
"outbound; index: 1" {
nat-type ipv4;
from trust;
source 192.168.0.1;
to untrust;
to-interface ethernet1/3 ;
destination any;
service 0:any/any/any;
translate-to "src: 195.51.100.1 (static-ip) (pool idx: 1)";
terminal no;
}
"outbound; index: 2" {
nat-type ipv4;
from any;
source any;
to untrust;
to-interface ethernet1/3 ;
destination 195.51.100.1;
service 0:any/any/any;
translate-to "dst: 192.168.0.1";
terminal no;
}
This may be an important factor to consider
05-29-2018 07:28 AM
Hi @reaper,
Thanks again for the clarification. I appreciate it your explanation and expertise. Makes total sense.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
