09-18-2009 10:18 AM - edited 03-11-2019 09:17 AM
Dear Expert,
I face a connectivity issue between inside and outside if i'm using FWSM module on my Cat 6509 and please assist me.
Below is scenario description
~~~~~~~~~~~~~~~~~
1. My Inside Network device able to ping all outside network Device Via the Private WAN, and access to internet via outside network - internet gateway.
2. All Outside network device unable to Ping all inside network device via the private network.
3. After add one static NAT rule in FWSM, outside network able to ping the specific IP.
"static (INSIDE,OUTSIDE) 172.16.35.7 172.16.35.7 netmask 255.255.255.255"
~~~~~~~~~~~
Please refer below FWSM config and ADSM diagram.
Configuration
~~~~~~~~~~~~
interface Vlan500
nameif INSIDE
security-level 100
ip address 172.26.149.1 255.255.255.0 standby 172.26.149.3
!
interface Vlan600
nameif OUTSIDE
security-level 0
ip address 172.26.20.12 255.255.255.0 standby 172.26.20.13
xlate-bypass
global (OUTSIDE) 1 172.26.20.249 netmask 255.255.255.0
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) 172.16.35.7 172.16.35.7 netmask 255.255.255.255
route INSIDE 172.16.35.0 255.255.255.0 172.26.149.254 1 ## 172.26.149.254 is Core Switch GLBP Virtual Gateway
route INSIDE 172.26.44.0 255.255.255.0 172.26.149.254 1
route OUTSIDE 0.0.0.0 0.0.0.0 172.26.20.10 1 ## 172.26.20.10 is Metro-E router use for connected to another site.
timeout xlate 3:00:00
~~~~~~~~~~~~~~~
Please Guide and lead me for below question.
~~~~~~~~~~~~~
1. Any Wrong with the Configuration !? NAT !?
2. Should configure bi-direction NAT !? or should specific all Static NAT rule !?
3. How to make all outside device able to communicate with inside one !?
4. Any related Doc can help me, i have to boost my security knowledge (^_^)
~~~~~~~~~~~~~
Appreciate your kindly help.
regards
Terry
Solved! Go to Solution.
09-18-2009 10:30 AM
Terry
"After add one static NAT rule in FWSM, outside network able to ping the specific IP.
"static (INSIDE,OUTSIDE) 172.16.35.7 172.16.35.7 netmask 255.255.255.255"
Correct because for an outside to talk to an inside device or more specifically for a device on a lower security interface to talk to a device on a higher security interface you need an acl rule + a NAT rule. So what you have done is correct.
Generally speaking you don't want to allow all outside devices to talk to all inside devices, hence the reason you normally have to add the NAT rule.
You can either
1) use bi-directional for all inside devices
2) turn off NAT altogether ie. "no nat-control"
3) use static statements as you have. Note that you can use static network statements rather than just individual host entries ie.
static (inside,outside) 172.16.35.0 172.16.35.0 netmask 255.255.255.0
But you should only allow outside to access internal devices for specific services not just open up all access.
Jon
09-18-2009 10:30 AM
Terry
"After add one static NAT rule in FWSM, outside network able to ping the specific IP.
"static (INSIDE,OUTSIDE) 172.16.35.7 172.16.35.7 netmask 255.255.255.255"
Correct because for an outside to talk to an inside device or more specifically for a device on a lower security interface to talk to a device on a higher security interface you need an acl rule + a NAT rule. So what you have done is correct.
Generally speaking you don't want to allow all outside devices to talk to all inside devices, hence the reason you normally have to add the NAT rule.
You can either
1) use bi-directional for all inside devices
2) turn off NAT altogether ie. "no nat-control"
3) use static statements as you have. Note that you can use static network statements rather than just individual host entries ie.
static (inside,outside) 172.16.35.0 172.16.35.0 netmask 255.255.255.0
But you should only allow outside to access internal devices for specific services not just open up all access.
Jon
09-18-2009 12:09 PM
Dear Jon,
Appreciate your guide.
I have a better understand for the security level already.
<< Device on a lower security interface to talk to a device on a higher security interface you need an acl rule + a NAT rule >>
So we must specific ACL rule + NAT Rule for Lower Security to Higher Security and Without the ACL rule to specific which port/service, the communication will be failed too right.
Jon, can you guide me what is the differentiate between option 1 and 3 !?
How the config of option 1 look like as comparing with option 3!?
Regards
Terry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide