08-05-2008 07:17 AM - edited 03-11-2019 06:25 AM
Dear All,
We'r using FWSM with 2.3(4) s/w
We intend to do no nat-control.
However, Version3.2 apparently can do this. How do we enable no nat-control or a similar function on v2.3?
More requirement, ideally we would want no nat control on some dmz1s/out paths and nat control on some dmz2s/out path.
Is this acheivable in both 2.3 and 3.2?
Thanks
SS
08-05-2008 07:39 AM
instead of playing with nat control do the following
lets say ur dmz1 subnet is 172.16.1.0 /24
and u wanna u se this subnet from the outside interface as there is no nat
do:
static (dmz1, outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
and then make the permit ACL
because in FWSM not like ASA traffic denied by default even from higher security level to less
and then if u have device on dmz1 with ip 172.16.1.5 u gonna see it from outside as 172.16.1.5
and this can be don between any two interfaces u want
good luck
please, if helpful rate
08-05-2008 08:01 AM
We'r trying to initiate (say ping for now) connections from inside to unknown/dynamically known outsides.
I can use 0.0.0.0 as outside to test. should the (outside, dmz1) work, if reversed?
Does this directional change make any difference. In the mean time i'm going to (again!) test your suggestion.
08-05-2008 04:49 PM
there another way
also try and see it
let say ur inside network is
192.168.1.0/24
access-list 100 permit ip 192.168.1.0 255.255.255.0 any
nat (inside) 1 access-list 100
global (outside) 1 192.168.1.1-.192.168.1.254
rate if helpful
08-06-2008 12:40 AM
nat (inside) 0
nat (outside) 0
I tried the above and working ok for now.
Will try the suggestion when we need to mix and match.
Thanks you Marwanshawi.
SS
08-06-2008 12:56 AM
i glad its working because when i see the rateing 3 i though didnt
cool:)
08-06-2008 10:10 AM
Thanks, it works with nat0
I'll be trying with nat1 later.
I also have another question, with v2.3, would nat 0 on one FWSM context and nat 1 on another context, but for the same interface/s work?
08-06-2008 06:23 PM
sure u can because they are in defrent context then the source will be deffrent
and the nat policy will work independatly in each context
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: