https://community.cisco.com/t5/network-security/fwsm-pat-overloading/m-p/2397351#M271083 <HTML><HEAD></HEAD><BODY><P>Hi jouni,</P><P></P><P>I managed to make it work without the icmp inspection, there was an IP addressing issue on this network **sights**</P><P></P><P>Configuration was OK, and thank you once again for your feedback.</P><P></P><P>Florian</P></BODY></HTML> Sun, 02 Feb 2014 23:16:53 GMT FlorianBerthelot 2014-02-02T23:16:53Z https://community.cisco.com/t5/network-security/fwsm-pat-overloading/m-p/2397349#M271072 <P>Hello,</P><P></P><P>I ahve an issue in configuring PAT on my FWSM.</P><P>I need to map many private IPs to one public IP.</P><P></P><P>Here the conf :</P><P>nat (CLT-INSIDE) 3 172.20.120. 255.255.255.0 outside</P><P>global (OUTSIDE) 3 AAA.BBB.CCC.DDD</P><P></P><P>I tyried with and without the outside keyword, and using a netmask 255.255.255.255 for my public address.</P><P></P><P>access-list CLT-INSIDE_access_in line 1 extended permit icmp any any</P><P>access-list CLT-INSIDE_access_in line 2 extended permit ip 172.20.120.0 255.255.255.0 any</P><P></P><P>(permit ip any any for test purposes only)</P><P></P><P>I cannot ping any public IP from my inside machine.</P><P>I followed my common sense and this guide :</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/nat.html#wp1158667" target="_blank">http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/nat.html#wp1158667</A></P><P></P><P></P><P>Any troubleshooting tips ?</P><P></P><P>Thanks a lot</P><P></P><P>Florian</P> Tue, 12 Mar 2019 03:34:10 GMT https://community.cisco.com/t5/network-security/fwsm-pat-overloading/m-p/2397349#M271072 FlorianBerthelot 2019-03-12T03:34:10Z https://community.cisco.com/t5/network-security/fwsm-pat-overloading/m-p/2397350#M271077 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The parameter <STRONG>"outside"</STRONG> after the <STRONG>"nat"</STRONG> command should to my understanding be only needed when the destinaton interface (the one holding the <STRONG>"global"</STRONG> command ) is of lower <STRONG>"security-level"</STRONG> than the source interface (the one holding the <STRONG>"nat"</STRONG> command)</P><P></P><P>Are we talking about a new setup which you are trying to get working or an existing setup for which you are configuring a new Dynamic PAT that doesnt seem to work or get applied?</P><P></P><P>Naturally the annoying thing with this is the FWSM. Mainly because <STRONG>"packet-tracer"</STRONG> can not be used with it <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Have you enabled ICMP Inspection for the FWSM so that the reply/return messages/replies for ICMP can pass the firewall? I think since you are doing PAT that you will need ICMP inspection for this.</P><P></P><P>You should be able to view the current Inspection configurations with the following command</P><P></P><P><STRONG>show run policy-map</STRONG></P><P></P><P>If you have the default policy configurations attached globally you could add the following lines</P><P></P><P><STRONG>inspect icmp</STRONG></P><P></P><P><STRONG>inspect icmp error</STRONG></P><P></P><P>I am not sure if we should look for any problems with the NAT configurations (some other configuration than the above that would cause problems) .</P><P></P><P>- Jouni</P></BODY></HTML> Wed, 22 Jan 2014 07:37:32 GMT https://community.cisco.com/t5/network-security/fwsm-pat-overloading/m-p/2397350#M271077 Jouni Forss 2014-01-22T07:37:32Z https://community.cisco.com/t5/network-security/fwsm-pat-overloading/m-p/2397351#M271083 <HTML><HEAD></HEAD><BODY><P>Hi jouni,</P><P></P><P>I managed to make it work without the icmp inspection, there was an IP addressing issue on this network **sights**</P><P></P><P>Configuration was OK, and thank you once again for your feedback.</P><P></P><P>Florian</P></BODY></HTML> Sun, 02 Feb 2014 23:16:53 GMT https://community.cisco.com/t5/network-security/fwsm-pat-overloading/m-p/2397351#M271083 FlorianBerthelot 2014-02-02T23:16:53Z