04-15-2010 06:36 PM - edited 03-11-2019 10:33 AM
04-16-2010 04:24 AM
Interesting. What FWSM code are you running? This should work.
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/cfgnat_f.html#wp1042553
You can identify overlapping addresses in other nat commands. For example, you can identify 10.1.1.0 in one command, but 10.1.1.1 in another. The traffic is matched to a policy NAT command in order, until the first match, or for regular NAT, using the best match.
See the following description about options for this command:
–access-list acl_name—Identify the real addresses and destination addresses using an extended access list. Create the extended access list using the access-list extended command (see the "Adding an Extended Access List" section on page 12-6). This access list should include only permit ACEs. You can optionally specify the real and destination ports in the access list using the eq operator. Policy NAT and static NAT consider the inactive or time-range keywords and stop working when an ACE is inactive.
-KS
04-16-2010 05:48 AM
Hi Kusankar,
I'm using IOS 4.0.7 in FWSM.
The strange thing is that even creating a NAT policy to match the source IP can not create the rule.
Att,
Rubens
04-16-2010 06:38 AM
Could you pls. copy and paste the following:
sh run static
sh run access-list
that are tied to the static.
-KS
04-16-2010 07:19 AM
Alright I have tried this out and this is not supported.
static (inside,out) tcp 44.44.44.44 3701 access-list net1
static (inside,out) tcp 44.44.44.44 3702 access-list net2
access-list net1 extended permit tcp host 1.1.1.1 eq 3701 host 100.100.100.1 eq 3701
access-list net2 extended permit tcp host 1.1.1.2 eq 3702 host 100.100.100.100 eq 3702
worked perfectly.
-KS
04-16-2010 07:48 AM
Hi Kusankar,
Take a look at setting that could be applied and tests we performed:
#### With this setup worked perfectly applied traffic: #####
access-list NAT_3017_3023 extended permit tcp host 10.2.64.4 eq 3023 172.24.0.0 255.255.240.0
static (inside,outside) tcp 192.168.8.4 3017 access-list NAT_3017_3023
#### With this set up NAT also worked perfectly: ####
static (inside,outside) tcp 192.168.8.3 3017 10.2.64.4 3017 netmask 255.255.255.255
#### Now, this rule could set up without problems, but the NAT is not being mounted. What I realized when creating the static NAT with nat policy without informing the protocol (TCP or UDP) and port access, the firewall does not mount the NAT. If the static is created with the protocol and port configuration have a conflict with the first rule created:
access-list NAT_3017_3017 extended permit tcp host 10.2.64.4 eq 3017 any range eq 1 65535
static (inside,outside) 192.168.8.4 access-list NAT_3017_3017
Any suggestions? Actually you can play this setup?
The setting range of port created in the ACL, it is necessary because when the connection is established by any outside source, the source IP uses random port. Therefore it was necessary to set up this way.
Att,
Rubens
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: