Identity Nat on FWSM

Unanswered Question

Hello,


I am using a fwsm with 3.2.5 Release and i found some strange static-nat behavior.

My nat configuration looks like this:

static (inside,outside) 172.23.253.6 172.23.0.100 netmask 255.255.255.255

route inside 172.23.0.0 255.255.0.0 x.y.z.v

Everything works fine for some time, but then the fwsm creates a identity xlate which looks like this:

NAT from inside:172.23.0.100 to outside:172.23.251.6 flags si

NAT from inside:172.23.251.6 to outside:172.23.251.6 flags Ii

Then connections doesn't work any more, because the 172.23.251.6 is no longer translated to 172.23.0.100

If i remove the route, this identity xlate entry is not created.

So for me it's some kind of bug, because the pix has no reason to create a second xlate entry if i am using statics

From pix 6.3 (http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694 , look to nat order)

So the question is:

Is this behavior right? Or has cisco changed the nat order of their firewalls? Why should a route be preferd to a static nat entry?


Thanks a lot & Br

Ronald

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
htarra Wed, 03/26/2008 - 12:42
User Badges:
  • Bronze, 100 points or more

With FWSM version 3.x or higher, the blade, by default, will route traffics so you do NOT have to do anything. You still need ACL to go from low to high but NOT from high to low. If you still use fwsm version 2.x, you still NEED to perform no NAT to go from high to low.The static statement works by creating pre-existing translations, so that when traffic enters, it matches an

existing translation. If you translate the entire class B network, traffic destined for the farm would match translations for both the farm and the admin networks. This would produce unexpected and unpredictable behavior.

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/pxpage.html

http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/configuration/guide/nat.html


cisco24x7 Wed, 03/26/2008 - 17:09
User Badges:
  • Silver, 250 points or more

"With FWSM version 3.x or higher, the blade, by default, will route traffics so you do NOT have to do anything"


Yes that is true BUT.....


If you have, let say VLAN100 (security 100),

VLAN2 (security level 0) and VLAN3 (security

level 10) and you have the following:


nat (vlan100) 1 0 0

global (vlan2) 1 interface


Once you do that, you have to do the following if you want to go from vlan100 to

vlan3 without any translation:


static (vlan100,vlan3) x.x.x.x x.x.x.x net/24


In other words, you're back to version 2.x

over again.


my 2c.


CCIE Security


static (vlan100,vlan3) 1.x.x

Actions

This Discussion