FWSM and NAT

Unanswered Question

We have an FWSM in routed multiple context mode with two VFW's. One will be protecting dept. LANs and the other will handle servers. We would like both VFW's to handle firewalling mutliple VLANs, some will require NAT, non-routable xlated to routable IPs.

As of right now I have two VLANs tied to one VFW, one is the inside and the other is the outside with a static default route pointed to the SVI of the outside VLAN on the MSFC. Proxy ARP and NAT handle the rest. My question is this, is it possible to add another set of inside/outside interfaces to this VFW with NAT running between them with proxy arp? I see a problem because the default route is pointing to the VSI of the current outside interface, so I don't see how to tie the new set of interfaces together with NAT.

I hope that this question makes sense, thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 05/27/2008 - 20:10

I'm not sure what you are trying to achieve here. It is certainly possible to add multiple interfaces to a VFW but why do you need another outside interface ?

There is nothing to stop you routing other subnets behind the FWSM to the outside interface of your FWSM.

Perhaps you could explain a bit more as to what you are trying to achieve ?

Jon

Jon,

The current firewalls that I am replacing use NAT with proxy arp to handle their outside addressing, as opposed to a static route in the MSFC directing the outside subnet to the outside interface.

I would like to be able to use one context to replace two of these firewalls, hence I need two separate outside interfaces (outside subnets) that do NAT with proxy arp.

I know that the same thing could essentially be achieved by using static routes and a single outside interface, but this would require me to redesign the current networks, which would be very time consuming.

Does this make sense?

Thanks!

Jon Marshall Wed, 05/28/2008 - 10:49

Apologies but i think i may be missing the point. It is when you say "route in the MSFC directing the outside subnet to the outside interface". You don't need this.

What you do need is to have static routes for subnets behind the FWSM ie. DMZ's. Not sure why using static routes and one outside interface would involve a redesign. Can you not just take the second subnet, create it on a DMZ and yes you would need a static route on the MSFC pointing to the outside interface but this is not a redesign as such.

I may be being a bit thick so bear with me :-)

Jon

Actions

This Discussion