06-11-2010 05:56 AM - edited 03-11-2019 10:58 AM
Hello,
,
I have FWSM with OS 3.2
Is it work to have PAT from interface with lower security level to interface with higher securuty level?
I have this config and it doesn't work
interface Vlan10
nameif DMZ_1
security-level 30
ip address 10.10.4.1 255.255.255.0 standby 10.10.4.2
interface Vlan20
nameif DMZ_2
security-level 55
ip address 10.10.70.1 255.255.255.0 standby 10.10.70.2
nat (DMZ_1) 1 10.10.10.0 255.255.255.0
global (DMZ_2) 1 interface
access-group dmz-1 in interface DMZ_1
access-group dmz-2 in interface DMZ_2
access-list dmz_1 extended permit icmp any any
access-list dmz_2 extended permit icmp any any
route DMZ_1 10.10.10.0 255.255.255.0 10.10.4.3 1
Ping doesn't flow from DMZ_1 10.10.10.10 to DMZ_2 10.10.70.3, but the moment I configure static NAT with
static (DMZ_2,DMZ_1) 10.10.70.0 10.10.70.0 netmask 255.255.255.0
ping works fine.
Thanks in advance,
A.
Solved! Go to Solution.
06-11-2010 06:37 PM
I have re-read your question, and it seems you may have already had it figured out from the beggining.
Maybe you already have other nat configured for DMZ_2 that you have not mentioned, or otherwise has nat-control enabled.
If you do, since you have configured nat on DMZ_2 already, or if you had nat-control, and since you are moving from lower security to higher security, you will "still" need a translation for the hosts on the DMZ_2 so that DMZ_1 can reach them.
So besides the configuration I have advised earlier, you needed something like this :
static (DMZ_2,DMZ_1) 10.10.70.0 10.10.70.0 netmask 255.255.255.0
I believe this is what you mentioned worked for you.
If you try your ping again from DMZ_1 to DMZ_2, you can confirm that the traffic from DMZ_1 is being patted if you do show xlate, and see what address is being used by the traffic , and it should show the DMZ_2 interface.
Regards,
06-11-2010 06:08 AM
This is outside nat
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/no.html#wp1614952
Try this
nat (DMZ_1) 1 10.10.10.0 255.255.255.0 outside
also since you will be patting icmp, you need to do "inspect icmp" under the policy_map
Regards,
06-11-2010 07:54 AM
Hello,
I tried this but it stil doesn't work. Is it maybe problem that I have on DMZ_2 other translations from other interfaces.
Regards,
A
06-11-2010 03:23 PM
Check your logs for the traffi to see if it says something interesting like "Translation creation failed" or denies.
Are the 10.10.10.0 host behind the DMZ_1?
Could it be that you are not translating the DMZ2 hosts (nat-control or dynamic NAT enabled for those)?
PK
06-11-2010 06:37 PM
I have re-read your question, and it seems you may have already had it figured out from the beggining.
Maybe you already have other nat configured for DMZ_2 that you have not mentioned, or otherwise has nat-control enabled.
If you do, since you have configured nat on DMZ_2 already, or if you had nat-control, and since you are moving from lower security to higher security, you will "still" need a translation for the hosts on the DMZ_2 so that DMZ_1 can reach them.
So besides the configuration I have advised earlier, you needed something like this :
static (DMZ_2,DMZ_1) 10.10.70.0 10.10.70.0 netmask 255.255.255.0
I believe this is what you mentioned worked for you.
If you try your ping again from DMZ_1 to DMZ_2, you can confirm that the traffic from DMZ_1 is being patted if you do show xlate, and see what address is being used by the traffic , and it should show the DMZ_2 interface.
Regards,
06-14-2010 02:05 AM
thank you guys
A.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: