NAT Stateful Firewall Configuration Example displays a NAT stateful firewall configuration example where packets flowing from the inside network to the outside network will result in NAT firewall bindings only for TCP and ICMP packets originating from either the Internal Clients or the Internal Servers. Packets for all other protocols on VLANs 10 and 20 are dropped.
Packets returning from the outside network matching a dynamic NAT firewall binding will be forwarded.
Any packets arriving on the outside network, not matching an existing dynamic NAT firewall binding and destined to either the Internal Clients or the Internal Servers will be dropped. This prohibits any user coming from the outside network from initiating a connection to the inside network, providing a secure inside network.
This NAT firewall configuration example:
System(rw)->configure System(rw-config)->interface vlan 10 System(rw-config-intf-vlan.0.10)->description “Internal Servers” System(rw-config-intf-vlan.0.10)->ip address 10.1.1.1 255.255.255.0 primary System(rw-config-intf-vlan.0.10)->ip nat inside System(rw-config-intf-vlan.0.10)->no shutdown System(rw-config-intf-vlan.0.10)->exit System(rw-config)->interface vlan 20 System(rw-config-intf-vlan.0.20)->description “Internal Clients” System(rw-config-intf-vlan.0.20)->ip address 20.1.1.1 255.255.255.0 primary System(rw-config-intf-vlan.0.20)->ip nat inside System(rw-config-intf-vlan.0.20)->no shutdown System(rw-config-intf-vlan.0.20)->exit System(rw-config)->interface vlan 4000 System(rw-config-intf-vlan.0.4000)->description “Outside Network” System(rw-config-intf-vlan.0.4000)->ip address 100.1.1.1 255.255.255.0 primary System(rw-config-intf-vlan.0.4000)->ip nat outside System(rw-config-intf-vlan.0.4000)->no shutdown System(rw-config-intf-vlan.0.4000)->exit System(rw-config)->ip access-list extended firewall_acl System(rw-cfg-ext-acl)->permit tcp 10.1.1.1 0.0.0.255 any log-verbose System(rw-cfg-ext-acl)->permit icmp 10.1.1.1 0.0.0.255 any log-verbose System(rw-cfg-ext-acl)->permit tcp 20.1.1.1 0.0.0.255 any log-verbose System(rw-cfg-ext-acl)->permit icmp 20.1.1.1 0.0.0.255 any log-verbose System(rw-cfg-ext-acl)->permit ip any 10.1.1.1 0.0.0.255 log-verbose System(rw-cfg-ext-acl)->permit ip any 20.1.1.1 0.0.0.255 log-verbose System(rw-cfg-ext-acl)->exit System(rw-config)->ip nat inside source list firewall_acl overload System(rw-config)->