Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need help on NAT in FWSM

Hi Guys

Attached diagram represent my planned lab setup in which VLAN 80 will be the outside interface configured with Public IPs. (2.2.2.0/28). 2.2.2.1 will be the VIP (HSRP) ip of the router interface and 2.2.2.2 & .3 will be configured on the router ethernet interface. The router will be connected to the MSFC (6500).i will have 2.2.2.4 and 2.2.2.5 for my active and standby FWSM outside (vlan 80) interfaces.

i have 4 different vlans connected onto the L2 switch 10.1.1.0/24 ,2/24,3/24 and 4/24.Now i want 10.1.1.0/24 to go out and access the outside networks wich is external to my network using one of the public ip i have with me from the pool (2.2.2.0/27)(2.2.2.7) and my other network 10.1.2.0/24 is being accessed from outside network on few port numbers , for which i have planned to use the public ip 2.2.2.8.

now my confusion is how to allow them using NAT in FWSM both inbound and outbound NATs.

10.1.1.0/24 is the high security zone and others are DMZ.

Pls help me with sampl configs/inputs/suggestions.

My second query here is about access enabling between zones.Communication from High security zone to Low security zone requires an Inbound ACL in High security zone interface and nothing on the low security zone interface, communication orginated from Low security zone to high zone requires Inbound ACL in low security zone and Outbound ACL in high secrity zone.

Pls let me know whether i am rite in my understanding.

Thanks for your Help

NJ

1 REPLY
Hall of Fame Super Blue

Re: Need help on NAT in FWSM

NJ

You don't say which interface 10.1.1.0/24 and 10.1.2.0/24 are on so for this example

inside1 = 10.1.1.0/24

inside2 = 10.1.2.0/24

so for 10.1.1.0/24 outbound

nat (inside1) 1 10.1.1.0 255.255.255.0

global (outside) 1 2.2.2.7

for your servers on 10.1.2.0/24 being accessed from outside

static (inside2,outside) tcp 2.2.2.8 80 10.1.2.10 80

static (inside2,outside) tcp 2.2.2.8 443 10.1.2.11 443

the above is just an example.

First static allows connections to 2.2.2.8 on port 80 (www) to go to 10.1.2.10 on port 80.

Second static allows connections to 2.2.2.8 on port 443 (https) to go to 10.1.2.11 on port 443.

You will need to modify to meet your needs.

"Communication from High security zone to Low security zone requires an Inbound ACL in High security zone interface and nothing on the low security zone interface"

On the FWSM correct. Note that on a standalone pix/ASA you don't need the acl as traffic by default is allowed from higher to lower but not on the FWSM.

"communication orginated from Low security zone to high zone requires Inbound ACL in low security zone and Outbound ACL in high secrity zone."

Not correct. Providing the traffic is stateful then if you allow the traffic in via an acl on the lower security interface it will automatically be allowed back out.

Jon

99
Views
0
Helpful
1
Replies