cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
813
Views
0
Helpful
11
Replies

FWSM

estelamathew
Level 2
Level 2

Hello Dear's

I will be installing FWSM next week in existing running network with Core Switch pointing a default route to ASA and ASA is doing Natting for the inside network going to internet, As i have been through the books of FWSM i found it very similar like ASA.

My thought's for  FWSM:

If i want to allow traffic between the Server vlan and user vlan i have to allow traffic by access-list and static Natting between the two vlan's. correct me if i m wrong?????

Question: The users which will go to the internet or on the ASA-DMZ,i want to bypass them from Natting on FWSM because they will get natted on ASA when they will enter ASA and double natting is not a good solution.

  To bypass natting on FWSM i have though:

interface vlan 10

description OUTSIDE INTERFACE

nameif outside

security-level 0

ip  add 10.10.10.1 255.255.255.0

interface vlan 2

description USERS IN VLAN 2

nameif vlan2

security-level 50

ip add 10.10.2.1 255.255.255.0

interface vlan 3

description USERS IN VLAN 3

nameif vlan3

security-level 50

ip  add 10.10.3.1 255.255.255.0

interface vlan 4

description SERVER VLAN

nameif vlan4

security-level 100

ip   add 10.10.100.1 255.255.255.0

access-list vlan 2 extended permit ip 10.10.2.0 255.255.255.0 any

Nat (vlan2) 0 access-list vlan 2-------Bypassing Natting on FWSM for users on vlan2 going on Internet

access-list vlan 3 extended permit ip 10.10.3.0 255.255.255.0 any

Nat (vlan3) 0 access-list vlan 3-------Bypassing  Natting on FWSM for users on vlan3 going on Internet

Static (vlan2,Server-vlan) 10.10.2.0 10.10.2.0 netmask 255.255.255.0 --------- This Natting for users vlan2 going on server vlan

Static (vlan3,Server-vlan) 10.10.3.0 10.10.3.0 netmask 255.255.255.0---------  This Natting for users vlan3 going on server  vlan

route outside 0.0.0.0 0.0.0.0 10.10.10.2---------- ASA INSIDE INTERFACE

Thanks

Message was edited by: estela mathew

Message was edited by: estela mathew

2 Accepted Solutions

Accepted Solutions

Question:  i need user vlan and server vlan to go on internet without doing Natting on FWSM because i m doing natting on ASA perimeter

You can do nat 0 with acl like you have configured or use static identity.

access-list vlan-2 extended permit ip 10.10.2.0 255.255.255.0 any

Nat (vlan2) 0 access-list vlan 2

access-list vlan-3 extended permit ip 10.10.3.0 255.255.255.0 any

Nat (vlan3) 0 access-list vlan 3

access-list server-vlan extended permit ip 10.10.100.0 255.255.255.0 any

Nat (server-vlan) 0 access-list server-vlan

or use static identity nat

static (vlan2,outside) 10.10.2.0 10.10.2.0 net 255.255.255.0

static (vlan3,outside) 10.10.3.0 10.10.3.0 net 255.255.255.0

static (server-vlan,outside) 10.10.110.0 10.10.110.0 net 255.255.255.0

Question2: I need users vlan to go on server vlan for resources access.

nat 0 for server-vlan listed above will allow that or you can add the following identity static:

static (server-vlan,vlan2) 10.10.110.0 10.10.110.0 net 255.255.255.0

static (server-vlan,vlan3) 10.10.110.0 10.10.110.0 net 255.255.255.0

-KS

View solution in original post

What you see is expeted behaviour.  I had given you nat 0 for server-vlan as well for server vlan to go out to the internet.

Nat 0 with acl is birectional - provided it is applied on the higher security interface.

server vlan is higher security than vlan 2 and vlan 3 correct? so, you need to apply that on the server vlan.

Does this answer your question? Also, you either need nat 0 with acl OR static identity - both going from high to low.

-KS

View solution in original post

11 Replies 11

Kureli Sankar
Cisco Employee
Cisco Employee

Estela,

That looks good.  There is a command "no nat-control" which is default for 3.1.1 and above. If you issue "sh run all | i nat-control" you will see that.

With that in place you do not require nat 0 or static identity.

command ref. http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/no.html#wp1615273

Anyway the way you have it configured should work except, I see interfaces with the same security so, you need this command

same-security-traffic permit inter-interface

for traffic between vlan 2, vlan 3 and server vlans.

-KS

Hello Kusankar,

I have enabled Nat-control command,

I think this configuration will not work CAN U EXPLAIN ME HOW IT WILL WORK. ???

I don't want the users vlan to speak to each other that's the reason i have put the same security level between users vlan.

Thanks

Estela,

Sorry I thought vlan2, vlan3 and server are all on the same level security. What you did is correct.

But, I just noticed your static lines.

Static (vlan2,Server-vlan) 10.10.2.0 10.10.2.0 netmask 255.255.255.0

Static (vlan3,Server-vlan) 10.10.3.0 10.10.3.0 netmask 255.255.255.0

These should actually be

Static (Server-vlan,vlan2) 10.10.100.0 10.10.100.0 netmask 255.255.255.0

Static (Server-vlan,vlan3) 10.10.100.0 10.10.100.0 netmask 255.255.255.0

Bydefault we do not translat the traffic from low to high security. We only need to provide translation for traffic flowing from high to low.

Again the above static that I provided is bi-directional meaning vlan2 and vlan3 can initiate traffic to the server vlan.

-KS

estelamathew
Level 2
Level 2

Hello  Kusankar,

U  r wrong the traffic flowing from low security level to high it needs access-list and Natting but traffic flowing from high to low in FWSM it just need access-list.

My concern was that when i will do Nat 0 for each and every vlan to go on internet through ASA then it will also be exempted when it will go to server-vlan,then what the use of static natting statements from users vlan to server vlan.Check my access-list statement i specified ANY destination,because i want users vlan to be be bypass for natting when they will go to the internet through ASA,that avoids double natting on FWSM as well as on ASA.

Will the users vlan be able to go server vlan  by static natting ???? Because NAT 0 is prefered before static natting.

Thanks.

Estela,

nat 0 with an acl is bi-directional. So, what is the reason for your static statements from low to high? vlan2(50) ==> server(100) and vlan3(50) ==> server vlan(100)

Let me explain what I meant when I said by default we do not translate the source from the outside to the inside.

When a host behind the firewall goes to the internet to load google.com, we change the source address from an RFC 1918 address to a routable address going high to low security correct?

Now, let us say you have a webserver on the inside that needs to be accessed from the internet.  You provide static translation - again from high to low

something like static (inside, outside) 1.1.1.1 10.10.10.10 where 10.10.10.10 is the inside address of the webserver.

Now, people from the internet try to access the webserver by loading 1.1.1.1 on the browser.  We do not translate the source IP of the host that is trying to load this website when we come from low to high security. You can if you like but it is not required.  This is what I tried to explain.

I hope it is clear now.

-KS

Dear KS,

You r absoultely correct,i also mean this but natting is required from high to low which is bidirectional,

Give me solution for the below query how i should do it.

Question:  i need user vlan and server vlan to go on internet without doing Natting on FWSM because i m doing natting on ASA perimeter

Question2: I need users vlan to go on server vlan for resources access.

Please answer me to above questions

Thanks

Message was edited by: estela mathew

Question:  i need user vlan and server vlan to go on internet without doing Natting on FWSM because i m doing natting on ASA perimeter

You can do nat 0 with acl like you have configured or use static identity.

access-list vlan-2 extended permit ip 10.10.2.0 255.255.255.0 any

Nat (vlan2) 0 access-list vlan 2

access-list vlan-3 extended permit ip 10.10.3.0 255.255.255.0 any

Nat (vlan3) 0 access-list vlan 3

access-list server-vlan extended permit ip 10.10.100.0 255.255.255.0 any

Nat (server-vlan) 0 access-list server-vlan

or use static identity nat

static (vlan2,outside) 10.10.2.0 10.10.2.0 net 255.255.255.0

static (vlan3,outside) 10.10.3.0 10.10.3.0 net 255.255.255.0

static (server-vlan,outside) 10.10.110.0 10.10.110.0 net 255.255.255.0

Question2: I need users vlan to go on server vlan for resources access.

nat 0 for server-vlan listed above will allow that or you can add the following identity static:

static (server-vlan,vlan2) 10.10.110.0 10.10.110.0 net 255.255.255.0

static (server-vlan,vlan3) 10.10.110.0 10.10.110.0 net 255.255.255.0

-KS

Thanks Kusankar,

I was just confuse that when i have doing NAT (XXX) 0 access-list then i why need of static identity. U confirmed me by ur mail that it is not required when i have already implemented NAT 0 i have tried the setup its workiing fine.

PLEASE CORRECT ME FOR BELOW QUERY

access-list vlan-2 extended permit ip 10.10.2.0 255.255.255.0 any

Nat  (vlan2) 0 access-list vlan 2

Ping from vlan 2  to server vlan doesn't work  unless i specify the below two command for server vlan and access-list on vlan 2 interface

access-list server-vlan extended permit ip 10.10.100.0 255.255.255.0  any

Nat (server-vlan) 0 access-list server-vlan

Please confirm ???

I have tried by removing the command Nat (server-vlan) 0 access-list server-vlan it does'nt work,  but when i put them back it works,because as u have told me that when traffic travels from high to low it need NAT translation and access-list.

Thanks

What you see is expeted behaviour.  I had given you nat 0 for server-vlan as well for server vlan to go out to the internet.

Nat 0 with acl is birectional - provided it is applied on the higher security interface.

server vlan is higher security than vlan 2 and vlan 3 correct? so, you need to apply that on the server vlan.

Does this answer your question? Also, you either need nat 0 with acl OR static identity - both going from high to low.

-KS

Thank u very much i got my answer by ur mail.

Excellent. Glad to hear and thank you for rating.

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: