source address NAT not working - FWSM

Unanswered Question
Feb 3rd, 2009

I am doing a source address nat in FWSM with the following. But sniffing the packet outside FWSM, I don't see the source IP being NAT'ed. Command

static (DMZ2,DMZ3) 10.1.1.5.0 192.168.50.0 netmask 255.255.255.0

DMZ2 is where the traffic is originated and 192.168.50.x is the subnet on DMZ2. DMZ3 is the other interface whose subnet is 192.168.60.x.

The source IP after NAT'ing should be on 10.1.1.x subnet.

Whats wrong in my entry ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jithesh K Joy Tue, 02/03/2009 - 20:36

Hi,

This translates the DMZ2 (192.168.50.0/24 ) to 10.1.1.0 /24 subnet when it access DMZ3. Please note that your static entry contains five octet in 10.1.1.5.0. Please use

static (DMZ2,DMZ3) 10.1.1.0 192.168.50.0 netmask 255.255.255.0

and try ,Please verify other NAT statements also

Regards

Jithesh

cisco_lite Tue, 02/03/2009 - 20:50

Yup. That was a typo. The actual config is 10.1.5.0

The source address NAT is not happening. In my case, DMZ2 is not accessing DMZ3 but it is routed out of DMZ3 to remote network couple of hops away.

I believe, this NAT statement will have bi-directional effect, i.e. traffic 'originated' from both ends.

Jithesh K Joy Tue, 02/03/2009 - 21:11

Hi

For testing ,could you please do Static identity NAT like

static (DMZ2,DMZ3) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

and make sure that all other conf are correct

Regards

Jithesh

cisco_lite Wed, 02/04/2009 - 05:27

I am not able to configure static identity NAT as it comes back saying

ERROR: duplicate of existing static.

The previous static configuration exists for actual NAT'ing to 10.x network.

Jithesh K Joy Thu, 02/05/2009 - 00:01

Is it possible for you to remove that config & do it in this way and check the NATing. Afterwards you can replace the old config.

cisco_lite Thu, 02/05/2009 - 00:38

If I remove the old config then how will the NAT'ing happen which was actual intended (i.e. to a different IP).

Actions

This Discussion