Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Policy NAT not working on FWSM

Hi all:

We have a FWSM pair with 3.1(17) version. Policy NAT is configured (PAT) but it's not working, this is the config (Nat-Control is enabled)

access-list NAT-VOICE extended permit icmp object-group Cluster object-group Range-Voice
access-list NAT-VOICE extended permit tcp object-group Cluster object-group Range-Voice eq rsh
access-list NAT-VOICE extended permit ip object-group Cluster object-group Range-Voice

In the object-group called Cluster is the 212.145.x.x (located on si interface with security-level 10) and the object-group called Range-Voice the 212.30.x.x (located on interface outside with security level 0)

The NAT + Global commands are the next:

nat (si) 1 access-list NAT-VOICE

global (outside) 1 212.145.x.x

When I launch a telnet, ping o rsh or whateverfrom a server on Cluster object-group to another one on Range-Voice I've detected there is no NAT is taking place. In fact, on the destination server I could see the requests from the server with its real ip, not nat IP.

The show conn command shows me the connection between the real source IP and destination. The sh xlate doesn't show anything...

Thanks a lot,

Francisco

6 REPLIES

Re: Policy NAT not working on FWSM

Just one thing. The IP on global command is on the same network that si interface, that is, I'll change the IPs for this example, the interface si has 192.168.1.1/24 and the IP on global command is 192.168.1.200, could be it the problem?

Hall of Fame Super Blue

Re: Policy NAT not working on FWSM


Francisco

Not sure what you mean by -

In the object-group called Cluster is the 212.145.x.x 

In the cluster object-group should be the real IP addresses of your servers on the si subnet. What do your object-groups look like ?

Jon

Re: Policy NAT not working on FWSM

jon, imagine the next(I change the public addresess on object-group cluster by private):

object-group Cluster

    group-object NodeA

    group-object NodeB

NodeA is 192.168.1.100

The nat+global is configured from this way:

nat (si) 1 access-list Cluster

global (outside) 1 192.168.1.199

I thing the problem is the nat IP is inside the range from the si interface, isn't?

Hall of Fame Super Blue

Re: Policy NAT not working on FWSM

fdelcura@satec.es

jon, imagine the next(I change the public addresess on object-group cluster by private):

object-group Cluster

    group-object NodeA

    group-object NodeB

NodeA is 192.168.1.100

The nat+global is configured from this way:

nat (si) 1 access-list Cluster

global (outside) 1 192.168.1.199

I thing the problem is the nat IP is inside the range from the si interface, isn't?

Francisco

The global NAT IP should not be from the same subnet as the si subnet. It should be from the outside subnet or another subnet that is routed back to the outside interface.

Jon

Re: Policy NAT not working on FWSM

Jon, the FWSM was upgraded from 3.1(4) to 3.1(17) cause the rsh protocol through nat does not work and the new version fixes a rsh bug.

The customer told me the NAT always worked before the upgrade and with the new versión not. Is it possible that nat+global can work?.

Just for clearing, note the access-list I typed on the first post:

access-list NAT-VOICE extended permit ip object-group Cluster object-group Range-Voice

The customer assures the NAT is working properly although the IP in global command is inside range of the source interface, the only protocol didnt work is rsh. Once done the upgrade, nothing works through NAT, telnet, icmp, SSH or whatever...

Edit: the rsh inspect was removed but without exit

Re: Policy NAT not working on FWSM

Hi:

I saw the RSH protocol doesn't work with PAT with inspect enabled. If I disabled it it would work if I open the dynamic ports it uses, right? (as well as 514 port it uses 1023 and 1022 port)
.

Finally, do you think it's possible that PAT I posted could work?

830
Views
0
Helpful
6
Replies
CreatePlease to create content