Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
700
Views
3
Helpful
7
Replies

FWSM: no nat-control or nat-control

s.srivas
Level 1
Level 1

‎08-05-2008 07:17 AM - edited ‎03-11-2019 06:25 AM

Dear All,

We'r using FWSM with 2.3(4) s/w

We intend to do no nat-control.

However, Version3.2 apparently can do this. How do we enable no nat-control or a similar function on v2.3?

More requirement, ideally we would want no nat control on some dmz1s/out paths and nat control on some dmz2s/out path.

Is this acheivable in both 2.3 and 3.2?

Thanks

SS

Labels:
0 Helpful
7 Replies 7

Marwan ALshawi
VIP Alumni
VIP Alumni

‎08-05-2008 07:39 AM

instead of playing with nat control do the following

lets say ur dmz1 subnet is 172.16.1.0 /24

and u wanna u se this subnet from the outside interface as there is no nat

do:

static (dmz1, outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

and then make the permit ACL

because in FWSM not like ASA traffic denied by default even from higher security level to less

and then if u have device on dmz1 with ip 172.16.1.5 u gonna see it from outside as 172.16.1.5

and this can be don between any two interfaces u want

good luck

please, if helpful rate

0 Helpful

s.srivas
Level 1
Level 1
In response to Marwan ALshawi

‎08-05-2008 08:01 AM

We'r trying to initiate (say ping for now) connections from inside to unknown/dynamically known outsides.

I can use 0.0.0.0 as outside to test. should the (outside, dmz1) work, if reversed?

Does this directional change make any difference. In the mean time i'm going to (again!) test your suggestion.

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to s.srivas

‎08-05-2008 04:49 PM

there another way

also try and see it

let say ur inside network is

192.168.1.0/24

access-list 100 permit ip 192.168.1.0 255.255.255.0 any

nat (inside) 1 access-list 100

global (outside) 1 192.168.1.1-.192.168.1.254

rate if helpful

s.srivas
Level 1
Level 1
In response to Marwan ALshawi

‎08-06-2008 12:40 AM

nat (inside) 0

nat (outside) 0

I tried the above and working ok for now.

Will try the suggestion when we need to mix and match.

Thanks you Marwanshawi.

SS

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to s.srivas

‎08-06-2008 12:56 AM

i glad its working because when i see the rateing 3 i though didnt

cool:)

0 Helpful

s.srivas
Level 1
Level 1
In response to Marwan ALshawi

‎08-06-2008 10:10 AM

Thanks, it works with nat0

I'll be trying with nat1 later.

I also have another question, with v2.3, would nat 0 on one FWSM context and nat 1 on another context, but for the same interface/s work?

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to s.srivas

‎08-06-2008 06:23 PM

sure u can because they are in defrent context then the source will be deffrent

and the nat policy will work independatly in each context

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card