FWSM dynamic NAT

Answered Question
Jun 11th, 2010

Hello,

,

I have FWSM with OS 3.2

Is it work to have PAT from interface with lower security level to interface with higher securuty level?

I have this config and it doesn't work

interface Vlan10
nameif DMZ_1
security-level 30
ip address 10.10.4.1 255.255.255.0 standby 10.10.4.2

interface Vlan20
nameif DMZ_2
security-level 55
ip address 10.10.70.1 255.255.255.0 standby 10.10.70.2

nat (DMZ_1) 1 10.10.10.0 255.255.255.0

global (DMZ_2) 1 interface


access-group dmz-1 in interface DMZ_1
access-group dmz-2 in interface DMZ_2

access-list dmz_1 extended permit icmp any any

access-list dmz_2 extended permit icmp any any

route DMZ_1 10.10.10.0 255.255.255.0 10.10.4.3 1

Ping doesn't flow from DMZ_1 10.10.10.10 to DMZ_2 10.10.70.3, but the moment I configure static NAT with

static (DMZ_2,DMZ_1) 10.10.70.0 10.10.70.0 netmask 255.255.255.0

ping works fine.

Thanks in advance,

A.

Correct Answer by edadios about 6 years 8 months ago

I have re-read your question, and it seems you may have already had it figured out from the beggining.

Maybe you already have other nat configured for DMZ_2 that you have not mentioned, or otherwise has nat-control enabled.

If you do, since you have configured nat on DMZ_2 already, or if you had nat-control, and since you are moving from lower security to higher security, you will "still" need a translation for the hosts on the DMZ_2 so that DMZ_1 can reach them.

So besides the configuration I have advised earlier, you needed something like this :

static (DMZ_2,DMZ_1) 10.10.70.0 10.10.70.0 netmask 255.255.255.0

I believe this is what you mentioned worked for you.

If you  try your ping again  from DMZ_1 to DMZ_2, you can confirm that the traffic from DMZ_1 is being patted if you do show xlate, and see what address is being used by the traffic , and it should show the DMZ_2 interface.

Regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Antonio_1_2 Fri, 06/11/2010 - 07:54

Hello,

I tried this but it stil  doesn't work. Is it maybe problem that I have on DMZ_2 other translations from other interfaces.

Regards,

A

Panos Kampanakis Fri, 06/11/2010 - 15:23

Check your logs for the traffi to see if it says something interesting like "Translation creation failed" or denies.

Are the 10.10.10.0 host behind the DMZ_1?

Could it be that you are not translating the DMZ2 hosts (nat-control or dynamic NAT enabled for those)?

PK

Correct Answer
edadios Fri, 06/11/2010 - 18:37

I have re-read your question, and it seems you may have already had it figured out from the beggining.

Maybe you already have other nat configured for DMZ_2 that you have not mentioned, or otherwise has nat-control enabled.

If you do, since you have configured nat on DMZ_2 already, or if you had nat-control, and since you are moving from lower security to higher security, you will "still" need a translation for the hosts on the DMZ_2 so that DMZ_1 can reach them.

So besides the configuration I have advised earlier, you needed something like this :

static (DMZ_2,DMZ_1) 10.10.70.0 10.10.70.0 netmask 255.255.255.0

I believe this is what you mentioned worked for you.

If you  try your ping again  from DMZ_1 to DMZ_2, you can confirm that the traffic from DMZ_1 is being patted if you do show xlate, and see what address is being used by the traffic , and it should show the DMZ_2 interface.

Regards,

Actions

This Discussion