Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to do souce address NAT

hi,

Could you please let me know how to do source address NAT'ing on FWSM.

Source IP: 1.1.1.1

Ingress interface: DMZ1

Ingress subnet: 1.1.1.0/24

Egress interface: DMZ2

Egress subnet: 2.2.2.0/24

The Source IP 1.1.1.1 initiated from DMZ1 should be natted to 3.3.3.1 upon exiting the Egress interface DMZ2.

Thanks.

23 REPLIES

Re: How to do souce address NAT

Hi,

What are security levels for the DMZ1 and DMZ2 intefaces?

New Member

Re: How to do souce address NAT

DMZ1: 100

DMZ2: 70

Thanks.

Re: How to do souce address NAT

Hi again,

static (DMZ1,DMZ2)3.3.3.1 1.1.1.1 255.255.255.255

Cheers mate,

Muath

Re: How to do souce address NAT

Hi again,

static (DMZ1,DMZ2)3.3.3.1 1.1.1.1 255.255.255.255

Cheers mate,

Muath

Re: How to do souce address NAT

Hi again,

static (DMZ1,DMZ2)3.3.3.1 1.1.1.1 255.255.255.255

Cheers mate,

Muath

Re: How to do souce address NAT

Hi again,

static (DMZ1,DMZ2)3.3.3.1 1.1.1.1 255.255.255.255

Cheers mate,

Muath

Re: How to do souce address NAT

Hi again,

static (DMZ1,DMZ2)3.3.3.1 1.1.1.1 255.255.255.255

Cheers mate,

Muath

Re: How to do souce address NAT

Hi again,

static (DMZ1,DMZ2)3.3.3.1 1.1.1.1 255.255.255.255

Cheers mate,

Muath

Re: How to do souce address NAT

Hi again,

static (DMZ1,DMZ2)3.3.3.1 1.1.1.1 255.255.255.255

Cheers mate,

Muath

Re: How to do souce address NAT

And sorry for the 1,000 reply, by mistake mate :)

New Member

Re: How to do souce address NAT

The syntax is incorrect. It should be

static (DMZ1,DMZ2)3.3.3.1 1.1.1.1 netmask 255.255.255.255

Secondly, the above isn't working. I debugged the packet and source address is not nat'ed.

I would be more interested on NAT'ing the network rather than the host, like with / 24.

New Member

Re: How to do souce address NAT

I got the following from a NAT guide on the internet. Please advise if it is correct. I have tried it on FWSM and it is not working.

Please assist

Quote

Static source translation

Source static translation is used when the source IP address of the host (local IP) is

changed to another IP (global IP) once the packet gets routed to the destination. This

translation hides the real identity of the initiator and also allows private IP addresses

to be translated to public IPs in order to get routed through public networks.

Syntax:

#static(source_intf, destination_intf) netmask

Example:

//Host 10.0.0.100 is source translated when connects to another host situated behind dmz03

interface.

#static(inside,dmz03) 90.30.2.10 10.0.0.100 netmask 255.255.255.255

Unquote

New Member

Re: How to do souce address NAT

I am coming across some materials stating that source address NAT'ing is not supported in FWSM. Is it true ? Please confirm. Thanks.

Re: How to do souce address NAT

Hi,

Is it possible that NAT is disabled on your FWSM?

If its disabled, while in config mode, do the "nat-control" command in order to enable it.

Cheers

New Member

Re: How to do souce address NAT

nat-control means all packets that flow through the Security Appliance require a NAT rule, or the packets will be denied access through the appliance.

This is not the intention. I do not want all the traffic going thru the appliance to be NAT'ed.

So as long as the NAT rule exists, natting should take place even if the nat-control is disabled.

Re: How to do souce address NAT

Mate,

Can you please send me a link that explains this? As this is the 1st time to hear this.

I believe that if nat-control is disabled, no nat is going to take place on the firewall.

However, if nat-control is enabled and yet, some IP addresses need not to be natted, you may use nat exclude.

Cheers mate.

New Member

Re: How to do souce address NAT

Re: How to do souce address NAT

Mate,

Lets sum things up, your requirement is that when a host in DMZ1 (1.1.1.0/24) connects to a host in DMZ2 (2.2.2.0/24), the IP address of the host from DMZ1 (1.1.1.0/24) is NATed to 3.3.3.1?

New Member

Re: How to do souce address NAT

Minor correction..

Host in DMZ1 connects to any host routed through DMZ2 (i.e. could be multiple hops away), the IP address of the host from DMZ1 should be NAT'ed to for e.g. 3.3.3.1

Also, I would like the NAT to occur on network level and not host.

Similar example in router IOS would be

ip nat inside source static network 192.168.10.0 172.16.1.0 /24

This caters to bi-directional NAT'ing. I would like to achieve the same in FWSM.

Re: How to do souce address NAT

What are the network IPs used for DMZ1, DMZ2? And to what do you want DMZ1 to be NATed to? (please use X.X.X.0/24 for any with public IPs)

I also need the current static NAT configs on your FWSM.

New Member

Re: How to do souce address NAT

DMZ1, DMZ2 subnet are for db server communications. As mentioned, DMZ1 should be NAT'ed to 3.3.3.0/24

There are no public IPs involved. Its all internal NAT'ing.

Currently there are no NAT configs on FWSM. Plain and simple case.

The example I gave of Router IOS was for some other network (just used as an example).

Re: How to do souce address NAT

Configure static NAT on the firewall, ping any host in DMZ 2 from DMZ 1, and let us see the output of the "show log" command.

New Member

Re: How to do souce address NAT

static (DMZ2,DMZ1) tcp 1.1.1.120 ftp 2.2.2.120 ftp netmask 255.255.255.255

> show log

%FWSM-6-305011: Built static tcp translation from DMZ2:2.2.2.120/21 to DMZ1:1.1.1.120/21

%FWSM-6-302013: Built inbound TCP connection 145674682330124245 for DMZ1:1.1.1.10/36217 (1.1.1.10/36217) to DMZ2:1.1.1.120/21 (2.2.2.120/21)

139
Views
0
Helpful
23
Replies
CreatePlease login to create content