Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

FWSM: nat 0, nat 1

Hello,

I'm trying to get the incoming traffic via nat (inbound) 0 to pass the FWSM. I also have nat (inbound) 1 that is working ok on the same incoming interface.

How do I get nat 0 (no natting via this route) to allow incoming traffic on the inbound interface to outbound interface.

Config extracts:

FWSM Version 2.3(4)

!

same-security-traffic permit inter-interface

!

global (outbound) 1 10.192.3.83

nat (inbound) 0 access-list no_nat

nat (inbound) 1 access-list Proxy_nat

access-group outbound_access_in in interface outbound

access-group inbound_access_in in interface inbound

!

6 REPLIES

Re: FWSM: nat 0, nat 1

Hi

lets say that you have a 10.10.10.0 network inside and you dont want this address translated when its destination is 10.192.3.120. Then all you need is following

access-list no_nat permit ip 10.10.10.0 255.255.255.0 host 10.192.3.120

Regards

Community Member

Re: FWSM: nat 0, nat 1

Thanks,

I'll try to test the following

access-list no_nat extended permit ip any any

Referrencing

http://www.cisco.com/en/US/partner/docs/security/fwsm/fwsm31/configuration/guide/nwacc_f.html

However, I already have the followings

and can not identify what else is causing the problem.

config extracts:

access-list no_nat extended permit ip TS-Proxy 255.255.255.224 GIN2_mgmt1 255.255.255.0

access-list no_nat extended permit ip SB-Proxy 255.255.255.224 GIN2_mgmt1 255.255.255.0

access-list no_nat extended permit ip TS-Proxy 255.255.255.224 10.0.0.0 255.0.0.0

access-list no_nat extended permit ip SB-Proxy 255.255.255.224 10.0.0.0 255.0.0.0

access-list no_nat extended permit ip GIN2_mgmt1 255.255.255.0 TS-Proxy 255.255.255.224

!

name 10.192.1.224 SB-Proxy

name 10.192.2.224 TS-Proxy

!

network-object TS-Proxy 255.255.255.224

network-object SB-Proxy 255.255.255.224

!

Re: FWSM: nat 0, nat 1

following acl has no use, and all other nat statements will be ignored. So dont use the following

access-list no_nat extended permit ip any any

I couldnt browse the link you submit, would you please describe what you want to achieve?

Community Member

Re: FWSM: nat 0, nat 1

Yes, any any will be no use. I realised that as soon as I sent the previous reply. So I'm planning to include the following to the existing ACL.

access-list no_nat extended permit ip any 10.230.0.0 255.255.255.0

(What I'm trying to acheive is:

Through tunnel 0 and tunnel 1 in the front end router, make the front-lower FWSM to use

nat 1 to route to a real ISP with real addresses

nat 0 to route to a private ISP with 10.x sddresses. (Ours is 10. address too but not overlapping.

Incoming traffic from fe-Router is apparently hiting the FWSM inbound, but can not get through the FWSM.)

Re: FWSM: nat 0, nat 1

So, lets say that

ip address outside aRealIPfromISP

access-list no_nat extended permit ip any 10.230.0.0 255.255.255.0

nat (inside) 0 access-list no_nat

nat (inside) 1 10.x.x.x 255.255.255.0 -> your inside network

global (outside) 1 interface

In above config, traffic to 10.230.0.0/24 wont be NATed , and rest of the traffic from your inside network will flow through your ISP

Community Member

Re: FWSM: nat 0, nat 1

No,

The nat 0 takes the tunnel 0 to outside private ISP. (They will do the necessary natting)

The nat 1 takes the tunnel 1 to outside to the real ISP.

I have not changed any configs yet, as the acces-list already allows (in name format).

ping from FWSM to 10.230.0.1 works ok.

only problem is traffic initiated in 10.230.0.0 is dropped (or some thing happens) before entering FWSM.

382
Views
5
Helpful
6
Replies
CreatePlease to create content