It is my first time to inquire on the Cisco NetPro Forums.
I am currently having a problem with one of my set-up in our production environment. Let me first start by describing the set-up of the network infrastructure. I have a two context firewall deployed on our Edge Router Cisco 7609. One context is deployed to cater the DMZ requirement of our network and the other context is allocated to filter incoming traffic from the internet. (Please see attached Powerpoint Document)
A server from the DMZ needs to be accessed from the internet and vice versa. The local address of this server is being translated into a public IP on the firewall context that is catered to filter WWW traffic (WWW Firewall Context).
Problem is that I am unable to successfully connect to the internet using this set-up. I have checked the routing and have verified that I have a complete path going to the vlan interface of WWWFirewall Context. However I am not able to see any traffic hitting my WWWFirewall Context coming from my local address (10.10.10.10).
Is there a route on the WWW FW Context and the MSFC for the 10.10.10.10 host?
Can you ping 10.10.10.10 from the WWW FW Context?
Yes I can reach the server 10.10.10.10 from the WWWFW context. I can also ping the FW contex from the 10.10.10.10 host.
I believe that the routing is not an issue anymore since I have set the default routes on th DMZFW context pointing to the MFSC, and the MSFC by default is routing going to the WWWFW Context.
From the WWWFW context, I have 10.10.10.0/24 route pointing to the MSFC (10.10.2.33) and an entry in the MSFC for pointing 10.10.10.0/24 to the DMZFW context.
Might there be an issue on my natting on the WWWFW Context? Because right now, I am mapping 10.10.10.10 to 220.127.116.11. exact entry is
static (VLAN200,VLAN1888) 18.104.22.168 10.10.10.10 netmask 255.255.255.255
can please, confirm that you have the proper permit ACL on both direction i mean in each context u need to have a permit on the inside and outside for the required traffic !!!
Yes I have already placed an acl on both the inbound and outbound direction. I hawever am not getting any hits on the firewall that would translate my local IP to a public IP.
ok now after u made sure the nating, routing and ACLs configured corectly
RELOAD the FWSM
then try to check out the nating after that
first u need to have a permite ACL becuase fwsm deny all traffic on all interfaces by defualt
then u need static route on wwwFW to the 10.10.10.10 through MSFC
ip route vlan200 10.10.10.10 255.255.255.255 10.10.2.50
on the dmz firewall u need to have the permit ACL on both interfaces as well as mentioned Above fwsm deny all bydefault
the u need route like
ip route vlan220 0.0.0.0 0.0.0.0 10.10.2.49
ip route 0.0.0.0 0.0.0.0 10.10.2.43
I already have the default route and access list on both context set to allow the traffic from 10.10.10.10 host to the internet. The routing on the MSFC was also set. I am not sure but I think I am having problem with the translation of the local IP into the global IP.
You can verify the NAT/connnections by
show conn det | inc 10.10.10.10
show xlate det | inc 10.10.10.10
The only thing having a higher preference than a static would be a nat (x) 0 ACL, incase you have one those on any context?
Thanks, I'll look into that during the troubleshooting window. Another question, since the static translation I configured on my firewall applies to vlan200 going to vlan1888, do I still need to configure another static translation this time for the interface vlan1888 going to int vlan200?
u dont need to make the translation twice
once the destination translated to 10.10.10.10
then it will be sent internally to that address when get back to the outside will be retrnaslted to the outside address
Yes as Marwan said, static translations are bi-directional. so no need for two statements, in fact the second statement would mean something totally opposite. Similarly "nat (intf) 0 access-list ... " is also bi-directional (NAT exemption).
Regular Dynamic NAT [Nat/Global] and Identity NAT [nat (intf)0 ip mask] are uni-directional only tough.