cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
206
Views
0
Helpful
1
Replies

Need help on NAT in FWSM

networker1982
Level 1
Level 1

Hi Guys

Attached diagram represent my planned lab setup in which VLAN 80 will be the outside interface configured with Public IPs. (2.2.2.0/28). 2.2.2.1 will be the VIP (HSRP) ip of the router interface and 2.2.2.2 & .3 will be configured on the router ethernet interface. The router will be connected to the MSFC (6500).i will have 2.2.2.4 and 2.2.2.5 for my active and standby FWSM outside (vlan 80) interfaces.

i have 4 different vlans connected onto the L2 switch 10.1.1.0/24 ,2/24,3/24 and 4/24.Now i want 10.1.1.0/24 to go out and access the outside networks wich is external to my network using one of the public ip i have with me from the pool (2.2.2.0/27)(2.2.2.7) and my other network 10.1.2.0/24 is being accessed from outside network on few port numbers , for which i have planned to use the public ip 2.2.2.8.

now my confusion is how to allow them using NAT in FWSM both inbound and outbound NATs.

10.1.1.0/24 is the high security zone and others are DMZ.

Pls help me with sampl configs/inputs/suggestions.

My second query here is about access enabling between zones.Communication from High security zone to Low security zone requires an Inbound ACL in High security zone interface and nothing on the low security zone interface, communication orginated from Low security zone to high zone requires Inbound ACL in low security zone and Outbound ACL in high secrity zone.

Pls let me know whether i am rite in my understanding.

Thanks for your Help

NJ

1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

NJ

You don't say which interface 10.1.1.0/24 and 10.1.2.0/24 are on so for this example

inside1 = 10.1.1.0/24

inside2 = 10.1.2.0/24

so for 10.1.1.0/24 outbound

nat (inside1) 1 10.1.1.0 255.255.255.0

global (outside) 1 2.2.2.7

for your servers on 10.1.2.0/24 being accessed from outside

static (inside2,outside) tcp 2.2.2.8 80 10.1.2.10 80

static (inside2,outside) tcp 2.2.2.8 443 10.1.2.11 443

the above is just an example.

First static allows connections to 2.2.2.8 on port 80 (www) to go to 10.1.2.10 on port 80.

Second static allows connections to 2.2.2.8 on port 443 (https) to go to 10.1.2.11 on port 443.

You will need to modify to meet your needs.

"Communication from High security zone to Low security zone requires an Inbound ACL in High security zone interface and nothing on the low security zone interface"

On the FWSM correct. Note that on a standalone pix/ASA you don't need the acl as traffic by default is allowed from higher to lower but not on the FWSM.

"communication orginated from Low security zone to high zone requires Inbound ACL in low security zone and Outbound ACL in high secrity zone."

Not correct. Providing the traffic is stateful then if you allow the traffic in via an acl on the lower security interface it will automatically be allowed back out.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: