I have just been asked to take over management of a FSWM in a 6509. Looking into the config, I notice that there doesn't appear to be adequate NAT statements, as I know them to be.
For example, here is the config relating to a network on the inside interface accessing a device in the web dmz:
ip address 10.30.5.1 255.255.255.0
ip address 10.30.81.10 255.255.255.252
object-group network OFFICE-NETWORKS
network-object 10.18.0.0 255.255.0.0
access-list INSIDE-IN extended permit ip object-group OFFICE-NETWORKS host 10.30.5.34
access-group INSIDE-IN in interface inside
route product-inside 10.18.0.0 255.255.0.0 core12
Now, I would expect there to be a NAT 0 or a static entry, but there are neither (you'll have to trust me on this!). There is actually no NAT 0 entry, only numbers 1-10 for outgoing traffic from the web dmz to the outside interface.
Yet a connection still occurs:
TCP out 10.30.5.34:3389 in 10.18.10.4:2035 idle 0:00:02 Bytes 142 FLAGS - U
And NAT has taken place:
NAT from inside:10.18.10.4 to webfront:10.18.10.4 flags Ii
I can't figure out how it knows to NAT this...can anyone shed any light?
nat-control is disabled by default with version 3.1 on the FWSM so i suspect this is why you are seeing the behaviour you describe -
If nat-control was enabled on 3.1 you would see a line in your config - "nat-control"