source address NAT not working - FWSM

Unanswered Question
Feb 3rd, 2009
User Badges:

I am doing a source address nat in FWSM with the following. But sniffing the packet outside FWSM, I don't see the source IP being NAT'ed. Command

static (DMZ2,DMZ3) netmask

DMZ2 is where the traffic is originated and 192.168.50.x is the subnet on DMZ2. DMZ3 is the other interface whose subnet is 192.168.60.x.

The source IP after NAT'ing should be on 10.1.1.x subnet.

Whats wrong in my entry ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jithesh K Joy Tue, 02/03/2009 - 20:36
User Badges:


This translates the DMZ2 ( ) to /24 subnet when it access DMZ3. Please note that your static entry contains five octet in Please use

static (DMZ2,DMZ3) netmask

and try ,Please verify other NAT statements also



cisco_lite Tue, 02/03/2009 - 20:50
User Badges:

Yup. That was a typo. The actual config is

The source address NAT is not happening. In my case, DMZ2 is not accessing DMZ3 but it is routed out of DMZ3 to remote network couple of hops away.

I believe, this NAT statement will have bi-directional effect, i.e. traffic 'originated' from both ends.

Jithesh K Joy Tue, 02/03/2009 - 21:11
User Badges:


For testing ,could you please do Static identity NAT like

static (DMZ2,DMZ3) netmask

and make sure that all other conf are correct



cisco_lite Wed, 02/04/2009 - 05:27
User Badges:

I am not able to configure static identity NAT as it comes back saying

ERROR: duplicate of existing static.

The previous static configuration exists for actual NAT'ing to 10.x network.

Jithesh K Joy Thu, 02/05/2009 - 00:01
User Badges:

Is it possible for you to remove that config & do it in this way and check the NATing. Afterwards you can replace the old config.

cisco_lite Thu, 02/05/2009 - 00:38
User Badges:

If I remove the old config then how will the NAT'ing happen which was actual intended (i.e. to a different IP).


This Discussion