FWSM NATing question

Unanswered Question
Dec 3rd, 2008


i have a 6500 switch with FWSM .

Its outside interface ip address is 64.x.x.219.all the users behind the firewall are natted on the firewall with 64.x.x.220.

nat(inside) 1

global (outside) 1 64.x.x.220 netmask *****.

we have some servers on the DMZ interface of the firewall.

My question is :

if i have another real ip subnet (for example 84.x.x.132/28) can we use any ip from this subnet to publish any server on the firewall although its outside interface is configured with another ip from different subnet??????

waiting your replies.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 12/03/2008 - 06:04


Yes you can as long as the traffic for 84.x.x.132 is routed back to the outside interface of your FWSM then it will be fine.

Does this make sense ?


mohamed_makled Wed, 12/03/2008 - 06:49

Dear jon

Thanks for your reply.

what do u mean by 84.x.x.132 is routed back to the outside interface ???

do u mean from the ISP side that they must route the traffic of 84.x.x.132 to the outside interface of the FWSM (64.x.x.x) ?????

Jon Marshall Wed, 12/03/2008 - 06:52

Yes, if you present a DMZ server as an 84.x.x.x address to the outside then any traffic destined for the 84.x.x.x address must be routed to your site. It actually must be routed to the outside interface of your FWSM but you may have other devices under your control between the FWSM and the SP. So it's safer to say the SP must route 84.x.x.x back to your site.


mohamed_makled Wed, 12/03/2008 - 07:23

Thanks jon

Did u test this solution??? or did u apply this configuration on a firewall before???



Jon Marshall Wed, 12/03/2008 - 07:26


I have used this configuration on Pix firewalls many times before.


mohamed_makled Wed, 12/03/2008 - 07:42

Ok jon

thank you very much.

it was pleasure to talk with you , and i hope to be friends in future.


This Discussion