Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Identity Nat on FWSM

Hello,

I am using a fwsm with 3.2.5 Release and i found some strange static-nat behavior.

My nat configuration looks like this:

static (inside,outside) 172.23.253.6 172.23.0.100 netmask 255.255.255.255

route inside 172.23.0.0 255.255.0.0 x.y.z.v

Everything works fine for some time, but then the fwsm creates a identity xlate which looks like this:

NAT from inside:172.23.0.100 to outside:172.23.251.6 flags si

NAT from inside:172.23.251.6 to outside:172.23.251.6 flags Ii

Then connections doesn't work any more, because the 172.23.251.6 is no longer translated to 172.23.0.100

If i remove the route, this identity xlate entry is not created.

So for me it's some kind of bug, because the pix has no reason to create a second xlate entry if i am using statics

From pix 6.3 (http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694 , look to nat order)

So the question is:

Is this behavior right? Or has cisco changed the nat order of their firewalls? Why should a route be preferd to a static nat entry?

Thanks a lot & Br

Ronald

2 REPLIES
Bronze

Re: Identity Nat on FWSM

With FWSM version 3.x or higher, the blade, by default, will route traffics so you do NOT have to do anything. You still need ACL to go from low to high but NOT from high to low. If you still use fwsm version 2.x, you still NEED to perform no NAT to go from high to low.The static statement works by creating pre-existing translations, so that when traffic enters, it matches an

existing translation. If you translate the entire class B network, traffic destined for the farm would match translations for both the farm and the admin networks. This would produce unexpected and unpredictable behavior.

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/pxpage.html

http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/configuration/guide/nat.html

Silver

Re: Identity Nat on FWSM

"With FWSM version 3.x or higher, the blade, by default, will route traffics so you do NOT have to do anything"

Yes that is true BUT.....

If you have, let say VLAN100 (security 100),

VLAN2 (security level 0) and VLAN3 (security

level 10) and you have the following:

nat (vlan100) 1 0 0

global (vlan2) 1 interface

Once you do that, you have to do the following if you want to go from vlan100 to

vlan3 without any translation:

static (vlan100,vlan3) x.x.x.x x.x.x.x net/24

In other words, you're back to version 2.x

over again.

my 2c.

CCIE Security

static (vlan100,vlan3) 1.x.x

467
Views
0
Helpful
2
Replies
CreatePlease login to create content