cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1180
Views
5
Helpful
6
Replies

FWSM: nat 0, nat 1

s.srivas
Level 1
Level 1

Hello,

I'm trying to get the incoming traffic via nat (inbound) 0 to pass the FWSM. I also have nat (inbound) 1 that is working ok on the same incoming interface.

How do I get nat 0 (no natting via this route) to allow incoming traffic on the inbound interface to outbound interface.

Config extracts:

FWSM Version 2.3(4)

!

same-security-traffic permit inter-interface

!

global (outbound) 1 10.192.3.83

nat (inbound) 0 access-list no_nat

nat (inbound) 1 access-list Proxy_nat

access-group outbound_access_in in interface outbound

access-group inbound_access_in in interface inbound

!

6 Replies 6

husycisco
Level 7
Level 7

Hi

lets say that you have a 10.10.10.0 network inside and you dont want this address translated when its destination is 10.192.3.120. Then all you need is following

access-list no_nat permit ip 10.10.10.0 255.255.255.0 host 10.192.3.120

Regards

Thanks,

I'll try to test the following

access-list no_nat extended permit ip any any

Referrencing

http://www.cisco.com/en/US/partner/docs/security/fwsm/fwsm31/configuration/guide/nwacc_f.html

However, I already have the followings

and can not identify what else is causing the problem.

config extracts:

access-list no_nat extended permit ip TS-Proxy 255.255.255.224 GIN2_mgmt1 255.255.255.0

access-list no_nat extended permit ip SB-Proxy 255.255.255.224 GIN2_mgmt1 255.255.255.0

access-list no_nat extended permit ip TS-Proxy 255.255.255.224 10.0.0.0 255.0.0.0

access-list no_nat extended permit ip SB-Proxy 255.255.255.224 10.0.0.0 255.0.0.0

access-list no_nat extended permit ip GIN2_mgmt1 255.255.255.0 TS-Proxy 255.255.255.224

!

name 10.192.1.224 SB-Proxy

name 10.192.2.224 TS-Proxy

!

network-object TS-Proxy 255.255.255.224

network-object SB-Proxy 255.255.255.224

!

following acl has no use, and all other nat statements will be ignored. So dont use the following

access-list no_nat extended permit ip any any

I couldnt browse the link you submit, would you please describe what you want to achieve?

Yes, any any will be no use. I realised that as soon as I sent the previous reply. So I'm planning to include the following to the existing ACL.

access-list no_nat extended permit ip any 10.230.0.0 255.255.255.0

(What I'm trying to acheive is:

Through tunnel 0 and tunnel 1 in the front end router, make the front-lower FWSM to use

nat 1 to route to a real ISP with real addresses

nat 0 to route to a private ISP with 10.x sddresses. (Ours is 10. address too but not overlapping.

Incoming traffic from fe-Router is apparently hiting the FWSM inbound, but can not get through the FWSM.)

So, lets say that

ip address outside aRealIPfromISP

access-list no_nat extended permit ip any 10.230.0.0 255.255.255.0

nat (inside) 0 access-list no_nat

nat (inside) 1 10.x.x.x 255.255.255.0 -> your inside network

global (outside) 1 interface

In above config, traffic to 10.230.0.0/24 wont be NATed , and rest of the traffic from your inside network will flow through your ISP

No,

The nat 0 takes the tunnel 0 to outside private ISP. (They will do the necessary natting)

The nat 1 takes the tunnel 1 to outside to the real ISP.

I have not changed any configs yet, as the acces-list already allows (in name format).

ping from FWSM to 10.230.0.1 works ok.

only problem is traffic initiated in 10.230.0.0 is dropped (or some thing happens) before entering FWSM.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: