Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

fwms nat outside

Hello,

If anyone can help me with this problem please

:

I have FWSM Firewall Version 3.2.

When I want to use

nat (DMZ) 1 10.0.0.0 255.0.0.0 outside

global (INSIDE) 1 192.168.1.1 netmask 255.255.255.255

in order to use dynamic NAT from DMZ to INSIDE all other translation rules are not functioning from DMZ

i.e.all STATIC and NAT rules

static (INSIDE, STATIC) 192.168.0.0. 192.168.0.0. netmask 255.255.0.0.

nat (DMZ) 2 10.0.0.0 255.0.0.0

global (OUSIDE) 2 interface

I thought that static nat has priority but it seems that nat with outside statement runs over all other translations.

when I remove no nat (DMZ) 1 10.0.0.0 255.0.0.0 outside everything goes back to normal and I can ping everything from DMZ as before

Does anyone have experience with this?

Am I doing something wrong or this is normal behavior?

Regards,

A.

2 REPLIES
Super Bronze

fwms nat outside

Hi,

All I can say is that I suggest using the NAT/GLOBAL statements only for the interfaces that "head out" of your local networks.

I never do PAT configurations between my own interfaces. Like DMZs and different LAN segments. I only do the PAT configurations towards OUTSIDE and perhaps some 3rd party connections.

Why not just allow the traffic between INSIDE and DMZ unnated?

- Jouni

New Member

fwms nat outside

Hi,

I use PAT so that I don't need to configure static routes on a large amount devices in LAN toward DMZ network.

Those LAN devices don't have default route toward firewall but to other router.

So in order for LAN devices to reach DMZ network I just need to configure PAT from DMZ to some LAN IP address.

Regards,

A.

241
Views
0
Helpful
2
Replies