Solved: FWSM dynamic NAT

Antonio_1_2 · ‎06-11-2010

Hello,

,

I have FWSM with OS 3.2

Is it work to have PAT from interface with lower security level to interface with higher securuty level?

I have this config and it doesn't work

interface Vlan10
nameif DMZ_1
security-level 30
ip address 10.10.4.1 255.255.255.0 standby 10.10.4.2

interface Vlan20
nameif DMZ_2
security-level 55
ip address 10.10.70.1 255.255.255.0 standby 10.10.70.2

nat (DMZ_1) 1 10.10.10.0 255.255.255.0

global (DMZ_2) 1 interface

access-group dmz-1 in interface DMZ_1
access-group dmz-2 in interface DMZ_2

access-list dmz_1 extended permit icmp any any

access-list dmz_2 extended permit icmp any any

route DMZ_1 10.10.10.0 255.255.255.0 10.10.4.3 1

Ping doesn't flow from DMZ_1 10.10.10.10 to DMZ_2 10.10.70.3, but the moment I configure static NAT with

static (DMZ_2,DMZ_1) 10.10.70.0 10.10.70.0 netmask 255.255.255.0

ping works fine.

Thanks in advance,

A.

edadios · ‎06-11-2010

I have re-read your question, and it seems you may have already had it figured out from the beggining.

Maybe you already have other nat configured for DMZ_2 that you have not mentioned, or otherwise has nat-control enabled.

If you do, since you have configured nat on DMZ_2 already, or if you had nat-control, and since you are moving from lower security to higher security, you will "still" need a translation for the hosts on the DMZ_2 so that DMZ_1 can reach them.

So besides the configuration I have advised earlier, you needed something like this :

static (DMZ_2,DMZ_1) 10.10.70.0 10.10.70.0 netmask 255.255.255.0

I believe this is what you mentioned worked for you.

If you try your ping again from DMZ_1 to DMZ_2, you can confirm that the traffic from DMZ_1 is being patted if you do show xlate, and see what address is being used by the traffic , and it should show the DMZ_2 interface.

Regards,

View solution in original post

edadios · ‎06-11-2010

This is outside nat

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/no.html#wp1614952

Try this

nat (DMZ_1) 1 10.10.10.0 255.255.255.0 outside

also since you will be patting icmp, you need to do "inspect icmp" under the policy_map

Regards,

Antonio_1_2 · ‎06-11-2010

Hello,

I tried this but it stil doesn't work. Is it maybe problem that I have on DMZ_2 other translations from other interfaces.

Regards,

A

Panos Kampanakis · ‎06-11-2010

Check your logs for the traffi to see if it says something interesting like "Translation creation failed" or denies.

Are the 10.10.10.0 host behind the DMZ_1?

Could it be that you are not translating the DMZ2 hosts (nat-control or dynamic NAT enabled for those)?

PK

edadios · ‎06-11-2010

I have re-read your question, and it seems you may have already had it figured out from the beggining.

Maybe you already have other nat configured for DMZ_2 that you have not mentioned, or otherwise has nat-control enabled.

If you do, since you have configured nat on DMZ_2 already, or if you had nat-control, and since you are moving from lower security to higher security, you will "still" need a translation for the hosts on the DMZ_2 so that DMZ_1 can reach them.

So besides the configuration I have advised earlier, you needed something like this :

static (DMZ_2,DMZ_1) 10.10.70.0 10.10.70.0 netmask 255.255.255.0

I believe this is what you mentioned worked for you.

If you try your ping again from DMZ_1 to DMZ_2, you can confirm that the traffic from DMZ_1 is being patted if you do show xlate, and see what address is being used by the traffic , and it should show the DMZ_2 interface.

Regards,

Antonio_1_2 · ‎06-14-2010

thank you guys

A.