FWSM With NAT Issue

Answered Question
Sep 18th, 2009

Dear Expert,

I face a connectivity issue between inside and outside if i'm using FWSM module on my Cat 6509 and please assist me.

Below is scenario description

~~~~~~~~~~~~~~~~~

1. My Inside Network device able to ping all outside network Device Via the Private WAN, and access to internet via outside network - internet gateway.

2. All Outside network device unable to Ping all inside network device via the private network.

3. After add one static NAT rule in FWSM, outside network able to ping the specific IP.

"static (INSIDE,OUTSIDE) 172.16.35.7 172.16.35.7 netmask 255.255.255.255"

~~~~~~~~~~~

Please refer below FWSM config and ADSM diagram.

Configuration

~~~~~~~~~~~~

interface Vlan500

nameif INSIDE

security-level 100

ip address 172.26.149.1 255.255.255.0 standby 172.26.149.3

!

interface Vlan600

nameif OUTSIDE

security-level 0

ip address 172.26.20.12 255.255.255.0 standby 172.26.20.13

xlate-bypass

global (OUTSIDE) 1 172.26.20.249 netmask 255.255.255.0

nat (INSIDE) 1 0.0.0.0 0.0.0.0

static (INSIDE,OUTSIDE) 172.16.35.7 172.16.35.7 netmask 255.255.255.255

route INSIDE 172.16.35.0 255.255.255.0 172.26.149.254 1 ## 172.26.149.254 is Core Switch GLBP Virtual Gateway

route INSIDE 172.26.44.0 255.255.255.0 172.26.149.254 1

route OUTSIDE 0.0.0.0 0.0.0.0 172.26.20.10 1 ## 172.26.20.10 is Metro-E router use for connected to another site.

timeout xlate 3:00:00

~~~~~~~~~~~~~~~

Please Guide and lead me for below question.

~~~~~~~~~~~~~

1. Any Wrong with the Configuration !? NAT !?

2. Should configure bi-direction NAT !? or should specific all Static NAT rule !?

3. How to make all outside device able to communicate with inside one !?

4. Any related Doc can help me, i have to boost my security knowledge (^_^)

~~~~~~~~~~~~~

Appreciate your kindly help.

regards

Terry

Attachment: 
I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 2 months ago

Terry

"After add one static NAT rule in FWSM, outside network able to ping the specific IP.

"static (INSIDE,OUTSIDE) 172.16.35.7 172.16.35.7 netmask 255.255.255.255"

Correct because for an outside to talk to an inside device or more specifically for a device on a lower security interface to talk to a device on a higher security interface you need an acl rule + a NAT rule. So what you have done is correct.

Generally speaking you don't want to allow all outside devices to talk to all inside devices, hence the reason you normally have to add the NAT rule.

You can either

1) use bi-directional for all inside devices

2) turn off NAT altogether ie. "no nat-control"

3) use static statements as you have. Note that you can use static network statements rather than just individual host entries ie.

static (inside,outside) 172.16.35.0 172.16.35.0 netmask 255.255.255.0

But you should only allow outside to access internal devices for specific services not just open up all access.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 09/18/2009 - 10:30

Terry

"After add one static NAT rule in FWSM, outside network able to ping the specific IP.

"static (INSIDE,OUTSIDE) 172.16.35.7 172.16.35.7 netmask 255.255.255.255"

Correct because for an outside to talk to an inside device or more specifically for a device on a lower security interface to talk to a device on a higher security interface you need an acl rule + a NAT rule. So what you have done is correct.

Generally speaking you don't want to allow all outside devices to talk to all inside devices, hence the reason you normally have to add the NAT rule.

You can either

1) use bi-directional for all inside devices

2) turn off NAT altogether ie. "no nat-control"

3) use static statements as you have. Note that you can use static network statements rather than just individual host entries ie.

static (inside,outside) 172.16.35.0 172.16.35.0 netmask 255.255.255.0

But you should only allow outside to access internal devices for specific services not just open up all access.

Jon

terry_leong Fri, 09/18/2009 - 12:09

Dear Jon,

Appreciate your guide.

I have a better understand for the security level already.

<< Device on a lower security interface to talk to a device on a higher security interface you need an acl rule + a NAT rule >>

So we must specific ACL rule + NAT Rule for Lower Security to Higher Security and Without the ACL rule to specific which port/service, the communication will be failed too right.

Jon, can you guide me what is the differentiate between option 1 and 3 !?

How the config of option 1 look like as comparing with option 3!?

Regards

Terry

Actions

This Discussion