Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT packets

Status
Not open for further replies.
Donachie

Donachie

Technical User
Jan 31, 2005
80
0
0
GB
I have been asked to NAT some traffic leaving our network behind the vrrp address of our pair. No problem there.

My question relates to the replies back. All connections will be initiated on our side - none will ever be initiated from the remote side ( an HSRP address of a pair of Ciscos).

My question is this:

with the reply packets to my vrrp address - the firewall forwards them to the requesting client, from the state table. What will the source ip of the packets be that are sent to the internal clients be? The VRRP address or the actual IP address?

Thanks.
 
Sort by date Sort by votes
The source address will be the end system that you are connecting to, not the firewall, unless of course you are connecting TO the firewall and not just THROUGH it.

If you look at your NAT rules tab you will see where the source and destination addresses are altered. So for example if you connect to say on 216.45.19.33 then the original source will be the IP address of the host on your LAN and the destination will be 216.45.19.33. When the packets hit your firewall the source will be NATed to the VRRP address (hide address)and the destination will still be 216.45.19.33. For the reply from the web server, the source will be 216.45.19.33 and the destination will be the VRRP address until the packets hit the firewall. Once NAT has occured the destination will be changed to the LAN address of your host but the source will still be 216.45.19.33.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
ok thanks.

another question regarding this - as all connections are initiated from our side do I only need one rule on the policy - ie allowing outbound access? As checkpoint is stateful then the reply packets should be checked agaihnst the state-table and allowed in this way?
 
Upvote 0 Downvote
Correct. Firewall-1 is fully stateful and so will take care of any replies to outbound initiated connections.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
156
intel233
intel233
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
49
steve777777
steve777777
agentpineapple
  • Locked
  • Question
View dropped packets
Replies
2
Views
40
agentpineapple
agentpineapple
dgoradia
  • Locked
  • Question
Second public IP NAT to LAN
Replies
0
Views
37
dgoradia
dgoradia
cisco222
  • Locked
  • Question
ASA and NAT
Replies
0
Views
21
cisco222
cisco222

Part and Inventory Search

Sponsor

Back
Top