Policy NAT not working on FWSM

francisco del cura ferreira · ‎03-02-2010

Hi all:

We have a FWSM pair with 3.1(17) version. Policy NAT is configured (PAT) but it's not working, this is the config (Nat-Control is enabled)

access-list NAT-VOICE extended permit icmp object-group Cluster object-group Range-Voice
access-list NAT-VOICE extended permit tcp object-group Cluster object-group Range-Voice eq rsh
access-list NAT-VOICE extended permit ip object-group Cluster object-group Range-Voice

In the object-group called Cluster is the 212.145.x.x (located on si interface with security-level 10) and the object-group called Range-Voice the 212.30.x.x (located on interface outside with security level 0)

The NAT + Global commands are the next:

nat (si) 1 access-list NAT-VOICE

global (outside) 1 212.145.x.x

When I launch a telnet, ping o rsh or whateverfrom a server on Cluster object-group to another one on Range-Voice I've detected there is no NAT is taking place. In fact, on the destination server I could see the requests from the server with its real ip, not nat IP.

The show conn command shows me the connection between the real source IP and destination. The sh xlate doesn't show anything...

Thanks a lot,

Francisco

francisco del cura ferreira · ‎03-02-2010

Just one thing. The IP on global command is on the same network that si interface, that is, I'll change the IPs for this example, the interface si has 192.168.1.1/24 and the IP on global command is 192.168.1.200, could be it the problem?

Jon Marshall · ‎03-02-2010

Francisco

Not sure what you mean by -

In the object-group called Cluster is the 212.145.x.x

In the cluster object-group should be the real IP addresses of your servers on the si subnet. What do your object-groups look like ?

Jon

francisco del cura ferreira · ‎03-02-2010

jon, imagine the next(I change the public addresess on object-group cluster by private):

object-group Cluster

group-object NodeA

group-object NodeB

NodeA is 192.168.1.100

The nat+global is configured from this way:

nat (si) 1 access-list Cluster

global (outside) 1 192.168.1.199

I thing the problem is the nat IP is inside the range from the si interface, isn't?

Jon Marshall · ‎03-02-2010

fdelcura@satec.es
jon, imagine the next(I change the public addresess on object-group cluster by private):
object-group Cluster
    group-object NodeA
    group-object NodeB
NodeA is 192.168.1.100
The nat+global is configured from this way:
nat (si) 1 access-list Cluster
global (outside) 1 192.168.1.199
I thing the problem is the nat IP is inside the range from the si interface, isn't?

Francisco

The global NAT IP should not be from the same subnet as the si subnet. It should be from the outside subnet or another subnet that is routed back to the outside interface.

Jon

francisco del cura ferreira · ‎03-02-2010

Jon, the FWSM was upgraded from 3.1(4) to 3.1(17) cause the rsh protocol through nat does not work and the new version fixes a rsh bug.

The customer told me the NAT always worked before the upgrade and with the new versión not. Is it possible that nat+global can work?.

Just for clearing, note the access-list I typed on the first post:

access-list NAT-VOICE extended permit ip object-group Cluster object-group Range-Voice

The customer assures the NAT is working properly although the IP in global command is inside range of the source interface, the only protocol didnt work is rsh. Once done the upgrade, nothing works through NAT, telnet, icmp, SSH or whatever...

Edit: the rsh inspect was removed but without exit

francisco del cura ferreira · ‎03-03-2010

Hi:

I saw the RSH protocol doesn't work with PAT with inspect enabled. If I disabled it it would work if I open the dynamic ports it uses, right? (as well as 514 port it uses 1023 and 1022 port)
.

Finally, do you think it's possible that PAT I posted could work?