Solved: Re: FWSM NAT-Control

estelamathew · ‎10-05-2010

Hello Friends,

How can we disable Nat-control in FWSM, And if we disable Nat and if suppose i want to use static Nat command then is it will be effected in the configuration.

What is command in FWSM to see NAT is enable or disable,as i know in ASA it sh Nat-control command

Thanks

Panos Kampanakis · ‎10-05-2010

This static translates host 172.25.52.26 behind interface PAK_IT ot itself for interface MAC_IT.

You will need a static even if you have nat control disabled if you had any existing nats or statics that were matching 172.25.52.26 behind the PAK_IT.

For example if you hada

nat (PAK_IT) 1 172.25.52.0 255.255.255.0

Then you would need a static to make it work.

I hope it helps.

PK

View solution in original post

Allen P Chen · ‎10-06-2010

Hello Estela,

I will attempt to answer your questions:

static (PAK_IT,MAC_IT) 172.25.52.26 172.25.51.26 netmask 255.255.255.255

You asked:

there is no such 172.25.52.26 host this is a virtual IP the real IP is 172.25.51.26. so what i understand is when 172.25.51.26 want to access MAC_IT it will be translate to 172.25.52.26. This is what u mean to say??????????????? please correct me if i m wrong.

The static command translates host 172.25.51.26 to IP 172.25.52.26 when traffic traverses from the PAK_IT to the MAC_IT interface. Therefore, when host 172.25.51.26 needs to access resources behind the MAC_IT interface, the traffic will appear to have originated from IP address 172.25.52.26 to the hosts behind the MAC_IT interface. Likewise, if hosts behind the MAC_IT interface need to access resources on host 172.25.51.26, they will need to access it using the translated address (172.25.52.26) and not the real IP. The static NAT works in both directions.

The logic is similar to the example you provided:

interface vlan 2

nameif inside

security-level 100

interface vlan 3

nameif outside

security-level 0

static(inside,outside) 202.1.1.1 10.10.10.1 netmask 255.255.255.255

The above static command says host on inside (10.10.10.1) when it goes on internet it translates to 202.1.1.1

and also when users from outside want to access host on inside they will hit to 202.1.1.1 which will be translate to 10.10.10.1.

The command "nat-control" determines whether NAT is required when traffic traverses the FWSM. If nat-control is enabled, you will see the following when you execute the command "show run all | inc nat-control":

FWSM/admin# show run all nat-c

nat-control

Likewise, if nat-control is disabled, you will see the following:

FWSM/admin(config)# show run all nat-c

no nat-control

However, even if you have nat-control disabled, if there is a NAT statement associated with an interface, a translation will still be required when traffic traverses that interface. For example:

no nat-control

static (PAK_IT,MAC_IT) 172.25.52.26 172.25.51.26 netmask 255.255.255.255

global (MAC_IT) 1 interface

nat (PAK_IT) 1 0 0

With the above NAT and STATIC statements, host 172.25.51.26 is translated to 172.25.52.26, and all other hosts behind the PAK_IT interface will be PAT'ed to the MAC_IT interface IP. So in this case, even though nat-control is disabled, a translation is still required because the command "nat (PAK_IT) 1 0 0" is enforcing NAT for all hosts behind the PAK_IT interface.

Likewise, if you had the following example:

no nat-control

static (PAK_IT,MAC_IT) 172.25.52.26 172.25.51.26 netmask 255.255.255.255

Then only host 172.25.51.26 will be translated due to the static statement. No other hosts will require a translation.

To determine whether a translation is required, you can look at the output of "show run nat" and show run global", this will tell you if any NAT statements are configured.

Hope this helps.

View solution in original post

Panos Kampanakis · ‎10-05-2010

You can do "sh run all | i nat-control" to check if it is enabled.

Without nat-control enabled all hosts that do NOT match an existing nat or static will be translated to themselves.

I hope it helps.

PK

estelamathew · ‎10-05-2010

pkampana wrote:
You can do "sh run all | i nat-control" to check if it is enabled.
Without nat-control enabled all hosts that do NOT match an existing nat or static will be translated to themselves. 
I hope it helps.
PK

Hello Pkampana,

Can u explore more please ur last line still not clear.

One PC in PAK_IT wants to access MAC_IT,access-list was OK any any on PAK_IT interface but still i was not able to access but when i put the static command it worked, Customer told me that NAT control is disable,I use the ASA command sh Nat-control and it gave me error ,

Can u explain me the below static command ???? If i m not wrong The user with 172.25.51.26 want to reach any PC (According to ACL) in 172.25.52.0 he will access by IP 172.25.52.26, Correct me if i m wrong ?????

interface Vlan51
nameif PAK_IT
security-level 25
ip address 172.25.51.254 255.255.255.0 standby 172.25.51.253

interface Vlan52
nameif MAC_IT
security-level 90
ip address 172.25.52.254 255.255.255.0 standby 172.25.52.253

static (PAK_IT,MAC_IT) 172.25.52.26 172.25.51.26 netmask 255.255.255.255

Panos Kampanakis · ‎10-05-2010

This static translates host 172.25.52.26 behind interface PAK_IT ot itself for interface MAC_IT.

You will need a static even if you have nat control disabled if you had any existing nats or statics that were matching 172.25.52.26 behind the PAK_IT.

For example if you hada

nat (PAK_IT) 1 172.25.52.0 255.255.255.0

Then you would need a static to make it work.

I hope it helps.

PK

estelamathew · ‎10-05-2010

pkampana wrote:
This static translates host 172.25.52.26 behind interface  PAK_IT ot itself for interface MAC_IT.
You will need a static even if you have nat control disabled if you had any existing nats or statics that were matching 172.25.52.26 behind the PAK_IT.
For example if you hada 
nat (PAK_IT) 1 172.25.52.0 255.255.255.0
Then you would need a static to make it work.
I hope it helps.
PK

Hello Pkampana,

For Example:

interface vlan 2

nameif inside

security-level 100

interface vlan 3

nameif outside

security-level 0

static(inside,outside) 202.1.1.1 10.10.10.1 netmask 255.255.255.255

The above static command says host on inside (10.10.10.1) when it goes on internet it translates to 202.1.1.1

and also when users from outside want to access host on inside they will hit to 202.1.1.1 which will be translate to 10.10.10.1.

As u have mentioned below

This static translates host 172.25.52.26 behind interface  PAK_IT ot itself for interface MAC_IT.

there is no such 172.25.52.26 host this is a virtual IP the real IP is 172.25.51.26. so what i understand is when 172.25.51.26 want to access MAC_IT it will be translate to 172.25.52.26. This is what u mean to say??????????????? please correct me if i m wrong.

For example: the user is coming from lower security level to inside higher security level so the statement will be (outside,inside).so in this case PAK_IT is outside and MAC_IT is inside.

And

You will need a static even if you have nat control disabled if you had any existing nats or statics that were matching 172.25.52.26 behind the PAK_IT.

There were no static or Nat statement for this IP But there were other static statement between PAK_IT and MAC_IT for other Ip address.

estelamathew · ‎10-06-2010

Hello Dear's

Can anybody helpme on the above query.

Thanks

praprama · ‎10-06-2010

Hi,

Did you notice what syslog was being produced before putting in the particular static between PAC_IT and MAC_IT? This should give us a better idea of what was wrong with NAT.

Also, what does the output of "show run all | in nat-control" give you like pkampana had asked before?

Thanks and Regards,

Prapanch

estelamathew · ‎10-06-2010

Hello Dear's,

1 PC in 172.25.51.26 in PAK_IT want to access a subnet in 172.25.52.0 MAC_IT,The static statement is working fine and PC 172.25.51.26 is accessing MAC-IT whole subnet. Just want to explore more what this static statement means??? As i have mentioned in above mail is correct for the static statment.

Also, what does the output of "show run all | in nat-control" give you like pkampana had asked before?

I have seen by the command and Nat-control is disable,

Thanks

Allen P Chen · ‎10-06-2010

Hello Estela,

I will attempt to answer your questions:

static (PAK_IT,MAC_IT) 172.25.52.26 172.25.51.26 netmask 255.255.255.255

You asked:

there is no such 172.25.52.26 host this is a virtual IP the real IP is 172.25.51.26. so what i understand is when 172.25.51.26 want to access MAC_IT it will be translate to 172.25.52.26. This is what u mean to say??????????????? please correct me if i m wrong.

The static command translates host 172.25.51.26 to IP 172.25.52.26 when traffic traverses from the PAK_IT to the MAC_IT interface. Therefore, when host 172.25.51.26 needs to access resources behind the MAC_IT interface, the traffic will appear to have originated from IP address 172.25.52.26 to the hosts behind the MAC_IT interface. Likewise, if hosts behind the MAC_IT interface need to access resources on host 172.25.51.26, they will need to access it using the translated address (172.25.52.26) and not the real IP. The static NAT works in both directions.

The logic is similar to the example you provided:

interface vlan 2

nameif inside

security-level 100

interface vlan 3

nameif outside

security-level 0

static(inside,outside) 202.1.1.1 10.10.10.1 netmask 255.255.255.255

The above static command says host on inside (10.10.10.1) when it goes on internet it translates to 202.1.1.1

and also when users from outside want to access host on inside they will hit to 202.1.1.1 which will be translate to 10.10.10.1.

The command "nat-control" determines whether NAT is required when traffic traverses the FWSM. If nat-control is enabled, you will see the following when you execute the command "show run all | inc nat-control":

FWSM/admin# show run all nat-c

nat-control

Likewise, if nat-control is disabled, you will see the following:

FWSM/admin(config)# show run all nat-c

no nat-control

However, even if you have nat-control disabled, if there is a NAT statement associated with an interface, a translation will still be required when traffic traverses that interface. For example:

no nat-control

static (PAK_IT,MAC_IT) 172.25.52.26 172.25.51.26 netmask 255.255.255.255

global (MAC_IT) 1 interface

nat (PAK_IT) 1 0 0

With the above NAT and STATIC statements, host 172.25.51.26 is translated to 172.25.52.26, and all other hosts behind the PAK_IT interface will be PAT'ed to the MAC_IT interface IP. So in this case, even though nat-control is disabled, a translation is still required because the command "nat (PAK_IT) 1 0 0" is enforcing NAT for all hosts behind the PAK_IT interface.

Likewise, if you had the following example:

no nat-control

static (PAK_IT,MAC_IT) 172.25.52.26 172.25.51.26 netmask 255.255.255.255

Then only host 172.25.51.26 will be translated due to the static statement. No other hosts will require a translation.

To determine whether a translation is required, you can look at the output of "show run nat" and show run global", this will tell you if any NAT statements are configured.

Hope this helps.