cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
617
Views
0
Helpful
6
Replies

source address NAT not working - FWSM

cisco_lite
Level 1
Level 1

I am doing a source address nat in FWSM with the following. But sniffing the packet outside FWSM, I don't see the source IP being NAT'ed. Command

static (DMZ2,DMZ3) 10.1.1.5.0 192.168.50.0 netmask 255.255.255.0

DMZ2 is where the traffic is originated and 192.168.50.x is the subnet on DMZ2. DMZ3 is the other interface whose subnet is 192.168.60.x.

The source IP after NAT'ing should be on 10.1.1.x subnet.

Whats wrong in my entry ?

6 Replies 6

Jithesh K Joy
Level 1
Level 1

Hi,

This translates the DMZ2 (192.168.50.0/24 ) to 10.1.1.0 /24 subnet when it access DMZ3. Please note that your static entry contains five octet in 10.1.1.5.0. Please use

static (DMZ2,DMZ3) 10.1.1.0 192.168.50.0 netmask 255.255.255.0

and try ,Please verify other NAT statements also

Regards

Jithesh

Yup. That was a typo. The actual config is 10.1.5.0

The source address NAT is not happening. In my case, DMZ2 is not accessing DMZ3 but it is routed out of DMZ3 to remote network couple of hops away.

I believe, this NAT statement will have bi-directional effect, i.e. traffic 'originated' from both ends.

Hi

For testing ,could you please do Static identity NAT like

static (DMZ2,DMZ3) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

and make sure that all other conf are correct

Regards

Jithesh

I am not able to configure static identity NAT as it comes back saying

ERROR: duplicate of existing static.

The previous static configuration exists for actual NAT'ing to 10.x network.

Is it possible for you to remove that config & do it in this way and check the NATing. Afterwards you can replace the old config.

If I remove the old config then how will the NAT'ing happen which was actual intended (i.e. to a different IP).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: