02-03-2009 12:49 PM - edited 03-11-2019 07:45 AM
I am doing a source address nat in FWSM with the following. But sniffing the packet outside FWSM, I don't see the source IP being NAT'ed. Command
static (DMZ2,DMZ3) 10.1.1.5.0 192.168.50.0 netmask 255.255.255.0
DMZ2 is where the traffic is originated and 192.168.50.x is the subnet on DMZ2. DMZ3 is the other interface whose subnet is 192.168.60.x.
The source IP after NAT'ing should be on 10.1.1.x subnet.
Whats wrong in my entry ?
02-03-2009 08:36 PM
Hi,
This translates the DMZ2 (192.168.50.0/24 ) to 10.1.1.0 /24 subnet when it access DMZ3. Please note that your static entry contains five octet in 10.1.1.5.0. Please use
static (DMZ2,DMZ3) 10.1.1.0 192.168.50.0 netmask 255.255.255.0
and try ,Please verify other NAT statements also
Regards
Jithesh
02-03-2009 08:50 PM
Yup. That was a typo. The actual config is 10.1.5.0
The source address NAT is not happening. In my case, DMZ2 is not accessing DMZ3 but it is routed out of DMZ3 to remote network couple of hops away.
I believe, this NAT statement will have bi-directional effect, i.e. traffic 'originated' from both ends.
02-03-2009 09:11 PM
Hi
For testing ,could you please do Static identity NAT like
static (DMZ2,DMZ3) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
and make sure that all other conf are correct
Regards
Jithesh
02-04-2009 05:27 AM
I am not able to configure static identity NAT as it comes back saying
ERROR: duplicate of existing static.
The previous static configuration exists for actual NAT'ing to 10.x network.
02-05-2009 12:01 AM
Is it possible for you to remove that config & do it in this way and check the NATing. Afterwards you can replace the old config.
02-05-2009 12:38 AM
If I remove the old config then how will the NAT'ing happen which was actual intended (i.e. to a different IP).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide