cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
680
Views
9
Helpful
5
Replies

FWSM dynamic NAT

Antonio_1_2
Level 1
Level 1

Hello,

,

I have FWSM with OS 3.2

Is it work to have PAT from interface with lower security level to interface with higher securuty level?

I have this config and it doesn't work

interface Vlan10
nameif DMZ_1
security-level 30
ip address 10.10.4.1 255.255.255.0 standby 10.10.4.2

interface Vlan20
nameif DMZ_2
security-level 55
ip address 10.10.70.1 255.255.255.0 standby 10.10.70.2

nat (DMZ_1) 1 10.10.10.0 255.255.255.0

global (DMZ_2) 1 interface


access-group dmz-1 in interface DMZ_1
access-group dmz-2 in interface DMZ_2

access-list dmz_1 extended permit icmp any any

access-list dmz_2 extended permit icmp any any

route DMZ_1 10.10.10.0 255.255.255.0 10.10.4.3 1

Ping doesn't flow from DMZ_1 10.10.10.10 to DMZ_2 10.10.70.3, but the moment I configure static NAT with

static (DMZ_2,DMZ_1) 10.10.70.0 10.10.70.0 netmask 255.255.255.0

ping works fine.

Thanks in advance,

A.

1 Accepted Solution

Accepted Solutions

I have re-read your question, and it seems you may have already had it figured out from the beggining.

Maybe you already have other nat configured for DMZ_2 that you have not mentioned, or otherwise has nat-control enabled.

If you do, since you have configured nat on DMZ_2 already, or if you had nat-control, and since you are moving from lower security to higher security, you will "still" need a translation for the hosts on the DMZ_2 so that DMZ_1 can reach them.

So besides the configuration I have advised earlier, you needed something like this :

static (DMZ_2,DMZ_1) 10.10.70.0 10.10.70.0 netmask 255.255.255.0

I believe this is what you mentioned worked for you.

If you  try your ping again  from DMZ_1 to DMZ_2, you can confirm that the traffic from DMZ_1 is being patted if you do show xlate, and see what address is being used by the traffic , and it should show the DMZ_2 interface.

Regards,

View solution in original post

5 Replies 5

edadios
Cisco Employee
Cisco Employee

This is outside nat

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/no.html#wp1614952

Try this

nat (DMZ_1) 1 10.10.10.0 255.255.255.0 outside

also since you will be patting icmp, you need to do "inspect icmp" under the policy_map

Regards,

Hello,

I tried this but it stil  doesn't work. Is it maybe problem that I have on DMZ_2 other translations from other interfaces.

Regards,

A

Check your logs for the traffi to see if it says something interesting like "Translation creation failed" or denies.

Are the 10.10.10.0 host behind the DMZ_1?

Could it be that you are not translating the DMZ2 hosts (nat-control or dynamic NAT enabled for those)?

PK

I have re-read your question, and it seems you may have already had it figured out from the beggining.

Maybe you already have other nat configured for DMZ_2 that you have not mentioned, or otherwise has nat-control enabled.

If you do, since you have configured nat on DMZ_2 already, or if you had nat-control, and since you are moving from lower security to higher security, you will "still" need a translation for the hosts on the DMZ_2 so that DMZ_1 can reach them.

So besides the configuration I have advised earlier, you needed something like this :

static (DMZ_2,DMZ_1) 10.10.70.0 10.10.70.0 netmask 255.255.255.0

I believe this is what you mentioned worked for you.

If you  try your ping again  from DMZ_1 to DMZ_2, you can confirm that the traffic from DMZ_1 is being patted if you do show xlate, and see what address is being used by the traffic , and it should show the DMZ_2 interface.

Regards,

thank you guys

A.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: