Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

NAT question with 2 firewalls

Hi all,

We have 2 firewalls in our network. The internal firewall is a FWSM with inside and outside interface and all the NAT is performed on the FWSM. The DMZ exists on the external firewall. DMZ uses all public addresses.

I am in the process of putting a VPN concentrator on the DMZ for remote access. The address pool for VPN clients will also be a public IP which is carved out of the DMZ subnet. The VPN clients need to access several 10-net private IP servers and it is not possible to do a static NAT.

When clients VPN in, they have to be able to access the 10-net servers. But FWSM NATs all 10-net traffic and so the 10-net does not exist beyond the FWSM.

How can I manipulate NAT and routing so that I can access the 10-net servers?

Any help would be appreciated.


Re: NAT question with 2 firewalls

What's the FWSM config / NAT config for 10-net looks like?

Depending on thr config, you may or may not be able to do that. Need to have a look at the FWSM's config first.



Community Member

Re: NAT question with 2 firewalls

The current NAT on the FWSM is as follows

All 10-net addresses are NATed to public address where some are static NAT, some are dynamic NAT and some are PAT.

Dynamic NAT has x.x.216.31 through 250 and

x.x.217.31 thru 250. All port 80 and 443 traffic from 10-net gets a PAT address of x.x.216.251 or x.x.217.251. We also have x.x.216.252 through 254 for PAT for non-web port traffic.

So, here is my NAT config

nat (inside) 1 access-list Web_Outbound

nat (inside) 2

global (outside) 1 x.x.216.251

global (outside) 1 x.x.217.251

global (outside) 2 x.x.216.31-x.x.216.250

global (outside) 2 x.x.217.31-x.x.217.250

global (outside) 2 x.x.216.252

global (outside) 2 x.x.216.253

global (outside) 2 x.x.216.254

access-list Web_Outbound permit tcp any eq 80

access-list Web_Outbound permit tcp any eq 443

CreatePlease to create content