Could you please let me know how to do source address NAT'ing on FWSM.
Source IP: 126.96.36.199
Ingress interface: DMZ1
Ingress subnet: 188.8.131.52/24
Egress interface: DMZ2
Egress subnet: 184.108.40.206/24
The Source IP 220.127.116.11 initiated from DMZ1 should be natted to 18.104.22.168 upon exiting the Egress interface DMZ2.
The syntax is incorrect. It should be
static (DMZ1,DMZ2)22.214.171.124 126.96.36.199 netmask 255.255.255.255
Secondly, the above isn't working. I debugged the packet and source address is not nat'ed.
I would be more interested on NAT'ing the network rather than the host, like with / 24.
I got the following from a NAT guide on the internet. Please advise if it is correct. I have tried it on FWSM and it is not working.
Static source translation
Source static translation is used when the source IP address of the host (local IP) is
changed to another IP (global IP) once the packet gets routed to the destination. This
translation hides the real identity of the initiator and also allows private IP addresses
to be translated to public IPs in order to get routed through public networks.
//Host 10.0.0.100 is source translated when connects to another host situated behind dmz03
#static(inside,dmz03) 188.8.131.52 10.0.0.100 netmask 255.255.255.255
I am coming across some materials stating that source address NAT'ing is not supported in FWSM. Is it true ? Please confirm. Thanks.
Is it possible that NAT is disabled on your FWSM?
If its disabled, while in config mode, do the "nat-control" command in order to enable it.
nat-control means all packets that flow through the Security Appliance require a NAT rule, or the packets will be denied access through the appliance.
This is not the intention. I do not want all the traffic going thru the appliance to be NAT'ed.
So as long as the NAT rule exists, natting should take place even if the nat-control is disabled.
Can you please send me a link that explains this? As this is the 1st time to hear this.
I believe that if nat-control is disabled, no nat is going to take place on the firewall.
However, if nat-control is enabled and yet, some IP addresses need not to be natted, you may use nat exclude.
Lets sum things up, your requirement is that when a host in DMZ1 (184.108.40.206/24) connects to a host in DMZ2 (220.127.116.11/24), the IP address of the host from DMZ1 (18.104.22.168/24) is NATed to 22.214.171.124?
Host in DMZ1 connects to any host routed through DMZ2 (i.e. could be multiple hops away), the IP address of the host from DMZ1 should be NAT'ed to for e.g. 126.96.36.199
Also, I would like the NAT to occur on network level and not host.
Similar example in router IOS would be
ip nat inside source static network 192.168.10.0 172.16.1.0 /24
This caters to bi-directional NAT'ing. I would like to achieve the same in FWSM.
What are the network IPs used for DMZ1, DMZ2? And to what do you want DMZ1 to be NATed to? (please use X.X.X.0/24 for any with public IPs)
I also need the current static NAT configs on your FWSM.
DMZ1, DMZ2 subnet are for db server communications. As mentioned, DMZ1 should be NAT'ed to 188.8.131.52/24
There are no public IPs involved. Its all internal NAT'ing.
Currently there are no NAT configs on FWSM. Plain and simple case.
The example I gave of Router IOS was for some other network (just used as an example).
static (DMZ2,DMZ1) tcp 184.108.40.206 ftp 220.127.116.11 ftp netmask 255.255.255.255
> show log
%FWSM-6-305011: Built static tcp translation from DMZ2:18.104.22.168/21 to DMZ1:22.214.171.124/21
%FWSM-6-302013: Built inbound TCP connection 145674682330124245 for DMZ1:126.96.36.199/36217 (188.8.131.52/36217) to DMZ2:184.108.40.206/21 (220.127.116.11/21)