Print this pagePrint this page

Email this topicEmail this topic

View PDFView PDF

Download EPUBDownload EPUB

NAT Firewall Configuration Example

NAT Stateful Firewall Configuration Example displays a NAT stateful firewall configuration example where packets flowing from the inside network to the outside network will result in NAT firewall bindings only for TCP and ICMP packets originating from either the Internal Clients or the Internal Servers. Packets for all other protocols on VLANs 10 and 20 are dropped.

Packets returning from the outside network matching a dynamic NAT firewall binding will be forwarded.

Any packets arriving on the outside network, not matching an existing dynamic NAT firewall binding and destined to either the Internal Clients or the Internal Servers will be dropped. This prohibits any user coming from the outside network from initiating a connection to the inside network, providing a secure inside network.

Click to expand in new window
NAT Stateful Firewall Configuration Example
Graphics/NatFirewall1.png

This NAT firewall configuration example:

  • Creates an inside network VLAN 10 for internal servers
  • Creates an inside network VLAN 20 for internal clients
  • Creates an outside network VLAN 4000
  • Creates a firewall ACL (“firewall_acl”) that permits TCP, ICMP, and IP packets for both the internal servers and clients
  • Configures the dynamic NAT firewall list rule
    System(rw)->configure
System(rw-config)->interface vlan 10
System(rw-config-intf-vlan.0.10)->description “Internal Servers”
System(rw-config-intf-vlan.0.10)->ip address 10.1.1.1 255.255.255.0 primary
System(rw-config-intf-vlan.0.10)->ip nat inside
System(rw-config-intf-vlan.0.10)->no shutdown
System(rw-config-intf-vlan.0.10)->exit
System(rw-config)->interface vlan 20
System(rw-config-intf-vlan.0.20)->description “Internal Clients”
System(rw-config-intf-vlan.0.20)->ip address 20.1.1.1 255.255.255.0 primary
System(rw-config-intf-vlan.0.20)->ip nat inside
System(rw-config-intf-vlan.0.20)->no shutdown
System(rw-config-intf-vlan.0.20)->exit
System(rw-config)->interface vlan 4000
System(rw-config-intf-vlan.0.4000)->description “Outside Network”
System(rw-config-intf-vlan.0.4000)->ip address 100.1.1.1 255.255.255.0 primary
System(rw-config-intf-vlan.0.4000)->ip nat outside
System(rw-config-intf-vlan.0.4000)->no shutdown
System(rw-config-intf-vlan.0.4000)->exit
System(rw-config)->ip access-list extended firewall_acl
System(rw-cfg-ext-acl)->permit tcp 10.1.1.1 0.0.0.255 any log-verbose
System(rw-cfg-ext-acl)->permit icmp 10.1.1.1 0.0.0.255 any log-verbose
System(rw-cfg-ext-acl)->permit tcp 20.1.1.1 0.0.0.255 any log-verbose
System(rw-cfg-ext-acl)->permit icmp 20.1.1.1 0.0.0.255 any log-verbose
System(rw-cfg-ext-acl)->permit ip any 10.1.1.1 0.0.0.255 log-verbose
System(rw-cfg-ext-acl)->permit ip any 20.1.1.1 0.0.0.255 log-verbose
System(rw-cfg-ext-acl)->exit
System(rw-config)->ip nat inside source list firewall_acl overload
System(rw-config)->
Published May 2016prev | next

Email this topicEmail this topic

Print this pagePrint this page