12-05-2007 02:54 AM - edited 03-11-2019 04:39 AM
Hello,
I'm trying to get the incoming traffic via nat (inbound) 0 to pass the FWSM. I also have nat (inbound) 1 that is working ok on the same incoming interface.
How do I get nat 0 (no natting via this route) to allow incoming traffic on the inbound interface to outbound interface.
Config extracts:
FWSM Version 2.3(4)
!
same-security-traffic permit inter-interface
!
global (outbound) 1 10.192.3.83
nat (inbound) 0 access-list no_nat
nat (inbound) 1 access-list Proxy_nat
access-group outbound_access_in in interface outbound
access-group inbound_access_in in interface inbound
!
12-05-2007 04:52 AM
Hi
lets say that you have a 10.10.10.0 network inside and you dont want this address translated when its destination is 10.192.3.120. Then all you need is following
access-list no_nat permit ip 10.10.10.0 255.255.255.0 host 10.192.3.120
Regards
12-05-2007 05:47 AM
Thanks,
I'll try to test the following
access-list no_nat extended permit ip any any
Referrencing
http://www.cisco.com/en/US/partner/docs/security/fwsm/fwsm31/configuration/guide/nwacc_f.html
However, I already have the followings
and can not identify what else is causing the problem.
config extracts:
access-list no_nat extended permit ip TS-Proxy 255.255.255.224 GIN2_mgmt1 255.255.255.0
access-list no_nat extended permit ip SB-Proxy 255.255.255.224 GIN2_mgmt1 255.255.255.0
access-list no_nat extended permit ip TS-Proxy 255.255.255.224 10.0.0.0 255.0.0.0
access-list no_nat extended permit ip SB-Proxy 255.255.255.224 10.0.0.0 255.0.0.0
access-list no_nat extended permit ip GIN2_mgmt1 255.255.255.0 TS-Proxy 255.255.255.224
!
name 10.192.1.224 SB-Proxy
name 10.192.2.224 TS-Proxy
!
network-object TS-Proxy 255.255.255.224
network-object SB-Proxy 255.255.255.224
!
12-05-2007 06:38 AM
following acl has no use, and all other nat statements will be ignored. So dont use the following
access-list no_nat extended permit ip any any
I couldnt browse the link you submit, would you please describe what you want to achieve?
12-05-2007 07:57 AM
Yes, any any will be no use. I realised that as soon as I sent the previous reply. So I'm planning to include the following to the existing ACL.
access-list no_nat extended permit ip any 10.230.0.0 255.255.255.0
(What I'm trying to acheive is:
Through tunnel 0 and tunnel 1 in the front end router, make the front-lower FWSM to use
nat 1 to route to a real ISP with real addresses
nat 0 to route to a private ISP with 10.x sddresses. (Ours is 10. address too but not overlapping.
Incoming traffic from fe-Router is apparently hiting the FWSM inbound, but can not get through the FWSM.)
12-05-2007 11:53 AM
So, lets say that
ip address outside aRealIPfromISP
access-list no_nat extended permit ip any 10.230.0.0 255.255.255.0
nat (inside) 0 access-list no_nat
nat (inside) 1 10.x.x.x 255.255.255.0 -> your inside network
global (outside) 1 interface
In above config, traffic to 10.230.0.0/24 wont be NATed , and rest of the traffic from your inside network will flow through your ISP
12-06-2007 02:36 AM
No,
The nat 0 takes the tunnel 0 to outside private ISP. (They will do the necessary natting)
The nat 1 takes the tunnel 1 to outside to the real ISP.
I have not changed any configs yet, as the acces-list already allows (in name format).
ping from FWSM to 10.230.0.1 works ok.
only problem is traffic initiated in 10.230.0.0 is dropped (or some thing happens) before entering FWSM.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: