Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Identity Nat on FWSM


I am using a fwsm with 3.2.5 Release and i found some strange static-nat behavior.

My nat configuration looks like this:

static (inside,outside) netmask

route inside x.y.z.v

Everything works fine for some time, but then the fwsm creates a identity xlate which looks like this:

NAT from inside: to outside: flags si

NAT from inside: to outside: flags Ii

Then connections doesn't work any more, because the is no longer translated to

If i remove the route, this identity xlate entry is not created.

So for me it's some kind of bug, because the pix has no reason to create a second xlate entry if i am using statics

From pix 6.3 ( , look to nat order)

So the question is:

Is this behavior right? Or has cisco changed the nat order of their firewalls? Why should a route be preferd to a static nat entry?

Thanks a lot & Br



Re: Identity Nat on FWSM

With FWSM version 3.x or higher, the blade, by default, will route traffics so you do NOT have to do anything. You still need ACL to go from low to high but NOT from high to low. If you still use fwsm version 2.x, you still NEED to perform no NAT to go from high to low.The static statement works by creating pre-existing translations, so that when traffic enters, it matches an

existing translation. If you translate the entire class B network, traffic destined for the farm would match translations for both the farm and the admin networks. This would produce unexpected and unpredictable behavior.


Re: Identity Nat on FWSM

"With FWSM version 3.x or higher, the blade, by default, will route traffics so you do NOT have to do anything"

Yes that is true BUT.....

If you have, let say VLAN100 (security 100),

VLAN2 (security level 0) and VLAN3 (security

level 10) and you have the following:

nat (vlan100) 1 0 0

global (vlan2) 1 interface

Once you do that, you have to do the following if you want to go from vlan100 to

vlan3 without any translation:

static (vlan100,vlan3) x.x.x.x x.x.x.x net/24

In other words, you're back to version 2.x

over again.

my 2c.

CCIE Security

static (vlan100,vlan3) 1.x.x

CreatePlease login to create content