Identity Nat on FWSM

Unanswered Question


I am using a fwsm with 3.2.5 Release and i found some strange static-nat behavior.

My nat configuration looks like this:

static (inside,outside) netmask

route inside x.y.z.v

Everything works fine for some time, but then the fwsm creates a identity xlate which looks like this:

NAT from inside: to outside: flags si

NAT from inside: to outside: flags Ii

Then connections doesn't work any more, because the is no longer translated to

If i remove the route, this identity xlate entry is not created.

So for me it's some kind of bug, because the pix has no reason to create a second xlate entry if i am using statics

From pix 6.3 ( , look to nat order)

So the question is:

Is this behavior right? Or has cisco changed the nat order of their firewalls? Why should a route be preferd to a static nat entry?

Thanks a lot & Br


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
htarra Wed, 03/26/2008 - 12:42
User Badges:
  • Bronze, 100 points or more

With FWSM version 3.x or higher, the blade, by default, will route traffics so you do NOT have to do anything. You still need ACL to go from low to high but NOT from high to low. If you still use fwsm version 2.x, you still NEED to perform no NAT to go from high to low.The static statement works by creating pre-existing translations, so that when traffic enters, it matches an

existing translation. If you translate the entire class B network, traffic destined for the farm would match translations for both the farm and the admin networks. This would produce unexpected and unpredictable behavior.

cisco24x7 Wed, 03/26/2008 - 17:09
User Badges:
  • Silver, 250 points or more

"With FWSM version 3.x or higher, the blade, by default, will route traffics so you do NOT have to do anything"

Yes that is true BUT.....

If you have, let say VLAN100 (security 100),

VLAN2 (security level 0) and VLAN3 (security

level 10) and you have the following:

nat (vlan100) 1 0 0

global (vlan2) 1 interface

Once you do that, you have to do the following if you want to go from vlan100 to

vlan3 without any translation:

static (vlan100,vlan3) x.x.x.x x.x.x.x net/24

In other words, you're back to version 2.x

over again.

my 2c.

CCIE Security

static (vlan100,vlan3) 1.x.x


This Discussion