configure static NAT in FWSM

Unanswered Question
Nov 18th, 2007

Hi all,

I use FWSM and now I want to configure static NAT in FWSM:

Diagram:

Webserver : 192.0.2.6/32 , interface: inside

NAT IP : 202.78.x.x /32 , interface: outside

I want to configuse static NAT from Webserver to IP Puplic and everyone can connect to Webserver with Service Any.

I only configure :

nameif vlan2 inside security100

access-list INSIDE extended permit ip 192.0.2.0 255.255.255.0 any

access-list acl_mdc_inside_access extended permit ip object-group any

ip address inside 192.0.2.x 255.255.255.0 standby 192.0.2.x

nat (inside) 0 access-list INSIDE

access-group acl_mdc_inside_access in interface inside

static (inside, outside) 202.78.x.x 192.0.2.6 netmask 255.255.255.255

I must configure access-list and routing?

If you need more information, please ask me.

Thank you very much!

Duy Khang

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Sun, 11/18/2007 - 20:23

Duy, you have to configure static nat which you already have in script, access-list to allow inbound traffic and apply acl to outside interface. Don't have to configure routing unless this is new PIX fwsm setup, if it is new setup you need to configure global nat and default route to access outside internet. Is outside interface the only public IP address you have for NAT?

e.g, if you are using spare public IP address for webserver NAT config would look as:

static (inside,outside) 202.78.x.x 192.0.2.6 netmask 255.255.255.255

access-list outside_access_in permit tcp any host 202.78.x.x

access-group outside_access_in in interface outside

if using outside pix interface IP address as your NAT/PAT address static should be as:

static (inside,outside) interface 192.0.2.6 netmask 255.255.255.255

access-list outside_access_in permit tcp any host 202.78.x.x

access-group outside_access_in in interface outside

to configuire glonal nat

global (oustide) 1 interface

to configure default route

route outside 0 0 x.x.x.x 1

where x is ISP router and 1 is next hop.

HTH

Jorge

Actions

This Discussion