Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

FWSM NAT PROBLEM

Hi.

I have a problem with FWSM and NAT.

I have a FWSM with two interfaces, OUTSIDE and DMZ.

I have a server on the DMZ (10.0.0.2/24) and a client on the OUTSIDE (192.168.1.2/24)

I have a static NAT like "static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2"

When a access to the public address (1.1.1.1) there are no problems.

When i access to the private address (10.0.0.2), the reply packet is always translated and this is a problem for me becasue i need to access correctly to both addresses, public and private.

Need help please!

Thanks in advance!

David

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: FWSM NAT PROBLEM

Hi David,

If Xlate Bypass is enabled, then the original static statement will not take effect.

static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2

Does the client computer need to use the internal IP for a certain application on a particular port, and the external IP for other applications?  If so, you can configure static policy NAT.

However, if no ports are defined, you cannot have client computer access the inside host on both IP addresses.  That is not supported.

5 REPLIES
Cisco Employee

Re: FWSM NAT PROBLEM

Hi David,

Unfortunately this is not possible. You can setup NAT exemption for certain hosts, but a single client won't be able to access the server using both local and global IP addresses since NAT exemption on the FWSM is only based on IP address.

Hope that helps.

-Mike

Cisco Employee

Re: FWSM NAT PROBLEM

Hello,

I am not sure I understand the issue.

I have a problem with FWSM and NAT.

I have a FWSM with two interfaces, OUTSIDE and DMZ.

I have a server on the DMZ (10.0.0.2/24) and a client on the OUTSIDE (192.168.1.2/24)

I have a static NAT like "static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2"

When a access to the public address (1.1.1.1) there are no problems.

--Based on the static NAT configuration, traffic arriving on the Outside interface destined for 1.1.1.1 should be translated to the real IP of 10.0.0.2.  This appears to be working.

When  i access to the private address (10.0.0.2), the reply packet is always  translated and this is a problem for me becasue i need to access  correctly to both addresses, public and private.

--Is the traffic originating behind the Outside interface to host 10.0.0.2?  This will not work, since your static NAT statement (static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2) will only allow traffic to 10.0.0.2 on the Outside interface if it is using the NAT'ed IP of 1.1.1.1.

What are you trying to achieve?

Community Member

Re: FWSM NAT PROBLEM

Hi Allen.

The client computer (192.168.1.2) needs to acces both IP address (1.1.1.1 and 10.0.0.2).

How can achive this?

Maybe xlate bypass?

Thanks!

Cisco Employee

Re: FWSM NAT PROBLEM

Hi David,

If Xlate Bypass is enabled, then the original static statement will not take effect.

static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2

Does the client computer need to use the internal IP for a certain application on a particular port, and the external IP for other applications?  If so, you can configure static policy NAT.

However, if no ports are defined, you cannot have client computer access the inside host on both IP addresses.  That is not supported.

Community Member

Re: FWSM NAT PROBLEM

CISCOOOO please, implement de STATEFUL NAT!!!  

Thanks to everybofy!

803
Views
0
Helpful
5
Replies
CreatePlease to create content