Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

FWSM: NAT issue

Hi all,

I am trying to set a new context and want to allow ainternet ccess to users through  new context...



Internetrouter<==== FWSM (Admin, context1, context 2)<=====LAN

internet router inside and outside ip is public ip...

FWSM(outside of admin context and contex1 are allocated resource vlan 15 having same public subnet assigned)

and then Router inside interface is connected to access port(VLAN15)..

Inside interface for fwsm Context 1 is vlan 68 and one pc is attached to vlan 68.

I am able to ping internet router inside ip from PC(vlan 68) but not able to nat the inside traffic..

I assigned first PAT for inside subnet of context 1 and then also tried using static NAT but when chacking sh xlate i am not able to see any traslation... it show same address..


fwsm/context1# sh xlate
1 in use, 2 most used
Global Local

fwsm/context1# sh conn
6 in use, 15 most used
Network Processor 1 connections
UDP KPTLOUT KPTL idle 0:01:46 Bytes 940 FLAGS - D

TCP KPTLOUT KPTL idle 0:00:05 Bytes 132 FLAGS - s

i captured the traffic at inside interface which show the icmp traffic sending the request and getting  reply on real ip..nat not working

  21: 16:24:30.538159242 802.1Q vlan#68 P0 180.150.x.x > icmp:
echo reply
  22: 16:24:31.538160242 802.1Q vlan#68 P0 > 180.150.x.x: icmp:
echo request
  23: 16:24:31.538160242 802.1Q vlan#68 P0 180.150.x.x > icmp:
echo reply
  24: 16:24:31.538160442 802.1Q vlan#68 P0 > 180.150.x.x: icmp:
echo request

159: 17:45:23.543013072 802.1Q vlan#68 P0 > S 23
47316862:2347316862(0) win 65535 <mss 1460,nop,nop,sackOK>

I have given NAT control also but no luck.. seems NAT is not working spl for new context...

need help..



Cisco Employee

Re: FWSM: NAT issue


show ver

show run nat-co

show run nat

show run global

show run static

show run interface

show run same

Would be interesting to see before we move any further.


New Member

Re: FWSM: NAT issue

Dear Marcin,

I have opened a TAC case for this and the SR is 614803557. i have attached the show-tech and show run of both context...

plz let me know if you need further details...

Please also find the TAC initial response...


Sharing an outside interface on the FWSM is supported , But the packet

classifier relies on active NAT sessions to classify the destination

addresses to a context, the classifier is limited by how you can

configure NAT. If you do not want to perform NAT, you must use unique


all vlan interfaces of FWSM share the same MAC address, so any kind of

routing is simply not possible over shared interface - the

packet classifier receives many packets from external world addressed to

the same FWSM MAC address and it can't understand which context they

belong to and which context they should be routed over. Packet

classifier does not take route table into consideration because internal

ip networks of contexts can overlap.


Please provide me with the following output from both contexts :

- show xlate detail

- show conn

- show local


Hope the above details help...



Cisco Employee

Re: FWSM: NAT issue


If you're not sharing the inside interface sharing outside does not explain why packet is not NATed IF it matches the rules ;-)

I'll try to check up on the case it is however I have full confidence my counterparts in US will get to the bottom of it fast.


CreatePlease to create content