Goal:
Support the following NAT configuration requirements (1 and 2) on the same Ecommerce Firewall. Ecommerce Firewall will eventually have to support the following types of traffic patterns (outside -> inside; inside -> outside; outside -> dmz; dmz -> dmz; dmz -> inside; dmz ->
outside) For now, we are most concerned with outside -> inside initiated traffic pattern.
For outside -> inside traffic pattern: Use firewall context outside interface source NAT so that traffic returns to correct virtual firewall context. For some connections we cannot NAT incoming source IP addresses for outside -> inside traffic (1), in these cases we need to see the "real" internet source address and therefore these connections will be policy routed.
Detail Test Example: (First 3 octets for public addressing have been replaced by aa.bb.cc)
We tried the following test to determine, if 1 and 2 can be supported in the same Firewall context configuration:
We tried unsuccessfully to achieve support for goals 1 and 2 above can be supported in same context configuration using NAT configuration below.
access-list outside_pnat_inbound extended permit ip any host aa.bb.cc.12
global (inside) 1 interface
nat (outside) 1 access-list outside_pnat_inbound outside
static (inside,outside) aa.bb.cc.20 testftp netmask 255.255.255.255 dns
static (inside,outside) aa.bb.cc.12 test1 netmask 255.255.255.255
Rule #1 access-list outside_access_in extended permit tcp any gt 1024 host aa.bb.cc.12 eq telnet log (we wish to source nat for this rule)
Rule #2 access-list outside_access_in extended permit tcp any gt 1023 host aa.bb.cc.20 eq ftp log (we wish to policy route for this rule)
Results:
We can successfully telnet to the aa.bb.cc.12 host; however, we cannot connect to aa.bb.cc.20 FTP Server