Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM - NAT: I can't figure this out

Hi experts,

I have just been asked to take over management of a FSWM in a 6509. Looking into the config, I notice that there doesn't appear to be adequate NAT statements, as I know them to be.

For example, here is the config relating to a network on the inside interface accessing a device in the web dmz:

interface Vlan351

nameif webfront

security-level 30

ip address 10.30.5.1 255.255.255.0

interface Vlan383

nameif inside

security-level 90

ip address 10.30.81.10 255.255.255.252

object-group network OFFICE-NETWORKS

network-object 10.18.0.0 255.255.0.0

access-list INSIDE-IN extended permit ip object-group OFFICE-NETWORKS host 10.30.5.34

access-group INSIDE-IN in interface inside

route product-inside 10.18.0.0 255.255.0.0 core12

Now, I would expect there to be a NAT 0 or a static entry, but there are neither (you'll have to trust me on this!). There is actually no NAT 0 entry, only numbers 1-10 for outgoing traffic from the web dmz to the outside interface.

Yet a connection still occurs:

TCP out 10.30.5.34:3389 in 10.18.10.4:2035 idle 0:00:02 Bytes 142 FLAGS - U

And NAT has taken place:

NAT from inside:10.18.10.4 to webfront:10.18.10.4 flags Ii

I can't figure out how it knows to NAT this...can anyone shed any light?

Many thanks,

J

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: FWSM - NAT: I can't figure this out

J

nat-control is disabled by default with version 3.1 on the FWSM so i suspect this is why you are seeing the behaviour you describe -

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/no.html#wp1585941

If nat-control was enabled on 3.1 you would see a line in your config - "nat-control"

Jon

4 REPLIES
Hall of Fame Super Blue

Re: FWSM - NAT: I can't figure this out

J

It sounds like you have "no nat-control" enabled on your FWSM. With "no nat-control" enabled traffic can go from a higher to a lower security interface without a NAT rule.

Which version of FWSM code are you running.

Can you see any line in the config to do with "nat-control"

Jon

New Member

Re: FWSM - NAT: I can't figure this out

Hi Jon,

Many thanks for your response. Apologies, I should have said that I had already searched for no nat-control in the config but it's not there...but thinking about it, does that mean that this is set as default and that's why it's not showing? It's running version 3.1(1).

J

Hall of Fame Super Blue

Re: FWSM - NAT: I can't figure this out

J

nat-control is disabled by default with version 3.1 on the FWSM so i suspect this is why you are seeing the behaviour you describe -

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/no.html#wp1585941

If nat-control was enabled on 3.1 you would see a line in your config - "nat-control"

Jon

New Member

Re: FWSM - NAT: I can't figure this out

Ah OK, that must be it (although this surprises me!). Many thanks for clearing that up for me :)

J

129
Views
0
Helpful
4
Replies