When you configure a standard dynamic NAT list rule and specify a NAT pool, if a packet arrives on an outside interface destined for the original source address (the natted global address obtained from the configured NAT Pool), and there is no matching binding. The packet is dropped because it was destined for a NAT Global address.
With a dynamic NAT firewall list rule (no pool specified), the inside address is not Natted and is visible to the outside world. Therefore, it is possible for a packet to arrive on an outside network destined to an inside address defined in the dynamic NAT firewall list rule without matching an existing binding.
In order to insure that packets from the outside network do not leak through to the inside network when no binding exists, the ACL configured on the dynamic NAT firewall list rule is examined in reverse: the packet destination IP or port is matched against the ACL source IP and port and the packet source IP or port is matched against the destination IP and port. When no binding exists, packets on the outside network matching an ACl permit rule are dropped by the firewall. A packet arriving on an outside network matching an ACL deny rule is forwarded by the firewall.
Print
this page
Email this topic
Feedback
View PDF
Download EPUB