Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FWSM - Static Nat to Global

Running FWSM 3.1

Need some advise on how I perform a static NAT and then Globally NAT the source address. Basically, I need to provide the following NAT

10.1.1.1 -> 10.1.2.1

..where 10.1.1.0 is the outside and 10.1.2.0 is the inside. However, I'm routing across to the NATed address from a remote host (say 10.1.3.1) that also happens to be a connected interface on the same FWSM. So, 10.1.3.1 routes across the network, around the FW, to access the NAT. The request is processed and passed through the FWSM and the return packet from 10.1.2.1 comes back out the 'wrong' interface (10.1.3.0, sort of asymmetric routing, which I've solved with ASR). However, while ASR solves the issue of routing across the FW to a different interface than which the connection originated on, the packet is dropped by the original host (10.1.3.1) as the source address is not the NATed address (10.1.1.1) but the real IP address (10.1.2.1).

So, I figure in order to solve this issue, I need to ensure the packet is processed by the same interface that performs the NAT, both in and out, and I therefore need to change the source IP address as it enters or leaves the inside/outside interface(s) on the FWSM. I've read the docs and worked out I need to provide a nat/global for the packet to change the source IP from 10.1.3.1 to say 10.1.1.2, as such fixing the routing problem so the FWSM will route the packet back out the correct interface and apply the Static NAT IP. However, when the FWSM processes NAT it applies a 'best match policy' where a Static NAT will overide a Policy/Global NAT, so the FWSM effectively ignores the Policy NAT I attempt the apply because it already matches a Static NAT and I can't change the source address.

Does any one have any ideas on how I can get round this? Is there a way I can perform Policy NAT as the packet enters the 10.1.2.0 interface after a Static NAT is performed on the 10.1.1.0 interface?

Hope all that makes sense

Rich

  • Other Security Subjects
221
Views
0
Helpful
0
Replies