Solved: FWSM NAT PROBLEM

David Martinez Garcia · ‎09-09-2010

Hi.

I have a problem with FWSM and NAT.

I have a FWSM with two interfaces, OUTSIDE and DMZ.

I have a server on the DMZ (10.0.0.2/24) and a client on the OUTSIDE (192.168.1.2/24)

I have a static NAT like "static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2"

When a access to the public address (1.1.1.1) there are no problems.

When i access to the private address (10.0.0.2), the reply packet is always translated and this is a problem for me becasue i need to access correctly to both addresses, public and private.

Need help please!

Thanks in advance!

David

Allen P Chen · ‎09-09-2010

Hi David,

If Xlate Bypass is enabled, then the original static statement will not take effect.

static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2

Does the client computer need to use the internal IP for a certain application on a particular port, and the external IP for other applications? If so, you can configure static policy NAT.

However, if no ports are defined, you cannot have client computer access the inside host on both IP addresses. That is not supported.

View solution in original post

mirober2 · ‎09-09-2010

Hi David,

Unfortunately this is not possible. You can setup NAT exemption for certain hosts, but a single client won't be able to access the server using both local and global IP addresses since NAT exemption on the FWSM is only based on IP address.

Hope that helps.

-Mike

Allen P Chen · ‎09-09-2010

Hello,

I am not sure I understand the issue.

I have a problem with FWSM and NAT.

I have a FWSM with two interfaces, OUTSIDE and DMZ.

I have a server on the DMZ (10.0.0.2/24) and a client on the OUTSIDE (192.168.1.2/24)

I have a static NAT like "static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2"

When a access to the public address (1.1.1.1) there are no problems.

--Based on the static NAT configuration, traffic arriving on the Outside interface destined for 1.1.1.1 should be translated to the real IP of 10.0.0.2. This appears to be working.

When i access to the private address (10.0.0.2), the reply packet is always translated and this is a problem for me becasue i need to access correctly to both addresses, public and private.

--Is the traffic originating behind the Outside interface to host 10.0.0.2? This will not work, since your static NAT statement (static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2) will only allow traffic to 10.0.0.2 on the Outside interface if it is using the NAT'ed IP of 1.1.1.1.

What are you trying to achieve?

David Martinez Garcia · ‎09-09-2010

Hi Allen.

The client computer (192.168.1.2) needs to acces both IP address (1.1.1.1 and 10.0.0.2).

How can achive this?

Maybe xlate bypass?

Thanks!

Allen P Chen · ‎09-09-2010

Hi David,

If Xlate Bypass is enabled, then the original static statement will not take effect.

static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2

Does the client computer need to use the internal IP for a certain application on a particular port, and the external IP for other applications? If so, you can configure static policy NAT.

However, if no ports are defined, you cannot have client computer access the inside host on both IP addresses. That is not supported.

David Martinez Garcia · ‎09-10-2010

CISCOOOO please, implement de STATEFUL NAT!!!

Thanks to everybofy!