NAT Firewall Configuration Example

NAT Stateful Firewall Configuration Example displays a NAT stateful firewall configuration example where packets flowing from the inside network to the outside network will result in NAT firewall bindings only for TCP and ICMP packets originating from either the Internal Clients or the Internal Servers. Packets for all other protocols on VLANs 10 and 20 are dropped.

Packets returning from the outside network matching a dynamic NAT firewall binding will be forwarded.

Any packets arriving on the outside network, not matching an existing dynamic NAT firewall binding and destined to either the Internal Clients or the Internal Servers will be dropped. This prohibits any user coming from the outside network from initiating a connection to the inside network, providing a secure inside network.

Click to expand in new window
NAT Stateful Firewall Configuration Example
Graphics/NatFirewall1.png

This NAT firewall configuration example:

  • Creates an inside network VLAN 10 for internal servers
  • Creates an inside network VLAN 20 for internal clients
  • Creates an outside network VLAN 4000
  • Creates a firewall ACL (“firewall_acl”) that permits TCP, ICMP, and IP packets for both the internal servers and clients
  • Configures the dynamic NAT firewall list rule
    System(rw)->configure
    System(rw-config)->interface vlan 10
    System(rw-config-intf-vlan.0.10)->description “Internal Servers”
    System(rw-config-intf-vlan.0.10)->ip address 10.1.1.1 255.255.255.0 primary
    System(rw-config-intf-vlan.0.10)->ip nat inside
    System(rw-config-intf-vlan.0.10)->no shutdown
    System(rw-config-intf-vlan.0.10)->exit
    System(rw-config)->interface vlan 20
    System(rw-config-intf-vlan.0.20)->description “Internal Clients”
    System(rw-config-intf-vlan.0.20)->ip address 20.1.1.1 255.255.255.0 primary
    System(rw-config-intf-vlan.0.20)->ip nat inside
    System(rw-config-intf-vlan.0.20)->no shutdown
    System(rw-config-intf-vlan.0.20)->exit
    System(rw-config)->interface vlan 4000
    System(rw-config-intf-vlan.0.4000)->description “Outside Network”
    System(rw-config-intf-vlan.0.4000)->ip address 100.1.1.1 255.255.255.0 primary
    System(rw-config-intf-vlan.0.4000)->ip nat outside
    System(rw-config-intf-vlan.0.4000)->no shutdown
    System(rw-config-intf-vlan.0.4000)->exit
    System(rw-config)->ip access-list extended firewall_acl
    System(rw-cfg-ext-acl)->permit tcp 10.1.1.1 0.0.0.255 any log-verbose
    System(rw-cfg-ext-acl)->permit icmp 10.1.1.1 0.0.0.255 any log-verbose
    System(rw-cfg-ext-acl)->permit tcp 20.1.1.1 0.0.0.255 any log-verbose
    System(rw-cfg-ext-acl)->permit icmp 20.1.1.1 0.0.0.255 any log-verbose
    System(rw-cfg-ext-acl)->permit ip any 10.1.1.1 0.0.0.255 log-verbose
    System(rw-cfg-ext-acl)->permit ip any 20.1.1.1 0.0.0.255 log-verbose
    System(rw-cfg-ext-acl)->exit
    System(rw-config)->ip nat inside source list firewall_acl overload
    System(rw-config)->