https://38a8db03.aww-3cz.pages.dev/tags/nat/ Recent content in Nat on Aaron's Worthless Words Hugo en Fri, 11 Sep 2009 00:00:00 +0000 https://38a8db03.aww-3cz.pages.dev/posts/2009/09/asa-and-proxy-arp/ Fri, 11 Sep 2009 00:00:00 +0000 https://38a8db03.aww-3cz.pages.dev/posts/2009/09/asa-and-proxy-arp/ <p>Wow.  A new entry.  Everyone sit down before you pass out.</p> <p>I&rsquo;ve got a real-world example for you today.  We have an ASA 5540 installed at a business unit with interfaces in multiple networks, including one containing the production servers and another containing the accounting servers.  The production network sits on a 7600 that&rsquo;s not ours, so, to avoid IP conflicts, we are statically NATting connections into that network.  The 7600 has with many, many VLANs, and, since the firewall production servers are on different VLANs, there&rsquo;s an interface VLAN between us.  Sounds pretty straightforward, but it just wasn&rsquo;t working when we try to connect between the interfaces.</p> https://38a8db03.aww-3cz.pages.dev/posts/2008/05/port-forwarding-on-the-asafwsmpix/ Tue, 27 May 2008 00:00:00 +0000 https://38a8db03.aww-3cz.pages.dev/posts/2008/05/port-forwarding-on-the-asafwsmpix/ <p>Here&rsquo;s a simple one since I haven&rsquo;t updated in a while. I have my ASA 5505 at home and want to forward TCP/80 traffic to my public IP to my webserver at 10.10.10.10. There are two steps here &ndash; forward the port and open the ACL.</p> <p>To forward the port, I would use the <em>static</em> directive, but there are two ways to do that. I can either set up a one-to-one NAT or a port redirection. In the one-to-one NAT, you have a outside address that&rsquo;s mapped directly to an inside address, and any traffic to that IP is passed to the inside host (if it passes ACLS, of course). One of the limitation, though, of using this setup is that you can&rsquo;t use that IP as your PAT address, and, since I only have one IP, no other inside hosts would have a outside address to which to be NATted. The other method &ndash; port redirection &ndash; is a much better solution. In this setup, I actually forward a protocol/port on a outside address to a protocol/port on an inside address. Since there are other ports available on that outside address, the address is still available for other hosts to use as a NAT address.</p> https://38a8db03.aww-3cz.pages.dev/posts/2008/05/star-crossed-lovers-hsrpvrrp-and-nat/ Thu, 08 May 2008 00:00:00 +0000 https://38a8db03.aww-3cz.pages.dev/posts/2008/05/star-crossed-lovers-hsrpvrrp-and-nat/ <p>I was doing an HSRP lab the other day, and a project from the past popped into my head. A customer had a host on a network that was separated from the rest of the network by a 1700 with a couple of FEs. They wanted that host to be NATted to a local address so that they didn&rsquo;t have to do any routing, which makes sense, I guess. This is just your standard 1-to-1 NAT, so we plunked down a quick config.</p> https://38a8db03.aww-3cz.pages.dev/posts/2008/03/nat-on-a-pixasa/ Thu, 13 Mar 2008 00:00:00 +0000 https://38a8db03.aww-3cz.pages.dev/posts/2008/03/nat-on-a-pixasa/ <p>NATting sucks and can be confusing. I&rsquo;m sure everyone agrees to that, but you have to use it at some times. In a PIX/ASA, it&rsquo;s easy to configure a simple setup, but can be super-complicated in larger networks. In a simple lab, we have set up an ASA with inside and outside interfaces, with the inside as your internal and outside as the Internet.</p> <p>The NAT setup here is easy.</p>