FWSM NAT question

niro · ‎04-11-2007

I have a question about natting on the FWSM. We want to move a few servers to an outside VLAN but we also want to still be able to hit them using the old inside IP's. Here's the basic set up:

interface Vlan80

nameif outside

security-level 50

ip address 172.16.1.254 255.255.255.0 standby 172.16.1.253

!

interface Vlan91

nameif outside-servers

security-level 55

ip address 172.16.2.254 255.255.255.0 standby 172.16.2.253

!

interface Vlan100

nameif inside

security-level 100

ip address 10.10.3.254 255.255.255.0 standby 10.10.3.253

The inside vlan the servers were on is 192.168.20.x/24.

Old IP:

192.168.20.100

New IP:

172.16.2.100

I'm assuming I'm going to have to set up a static nat and route that host on the 6509 to 10.10.3.254?

srue · ‎04-11-2007

how about changing the order of a static nat entry? instead of (inside,outside), change it (outside,inside)...

or in your case:

static (outside-servers,inside) 192.168.20.100 172.16.2.2

as well as the proper static route.

niro · ‎04-26-2007

That didn't work...I keep getting a no translation error on the pix log when I try to connect to it...and when I do a show xlate I'm not seeing 192.168.20.100 at all (or the 172.16.2.2)...

niro · ‎04-27-2007

any ideas?

acomiskey · ‎04-27-2007

I think he meant...

static (outside-servers,inside) 192.168.20.100 172.16.2.100

did you try that as well, that is called Destination NAT and should do the trick.

niro · ‎04-27-2007

Pretty sure I did and it didn't work either...but I'll give it another shot...