topic NAT configuration issue in Network Security

NAT configuration issue

Colin Higgins — Tue, 12 Mar 2019 01:24:19 GMT

Is it possible to NAT an address within a subnet that does not have a corresponding interface (or loopback) on the device that is performing that NAT?

Example:

I want to NAT an address of a machine within a firewalled vlan on my FWSM like so:

Upstream router----------FWSM Vlan100--------FWSM Vlan200

172.29.89.35------------->172.29.89.36---------->172.29.87.133

I want to present 172.29.87.133 as 172.25.100.100 to traffic coming in from the upstream router.

This network 172.25.100.x does not exist anywhere on the FWSM, but the router routes to it through 172.29.89.36

Can I do this?

NAT configuration issue

Jouni Forss — Fri, 05 Apr 2013 20:41:57 GMT

Hi,

Not sure if I understood you correctly

Do you mean that the following is true

Theres a network 172.29.89.x/yy between the Upstream Router and the FWSM Vlan100 interface connected to it
You have a network 172.29.87.x/yy on the FWSM connected to Vlan200
You have a route telling that a network 172.25.100.x/yy is found through the FWSM Vlan100 (172.29.89.36)
You want to NAT the host 172.29.87.133 located on Vlan200 to the IP address 172.25.100.100 when its crossing the FWSM towards the Upstream Router

If this is correct then I dont see any problem.

You should be able to configure the the NAT just fine. Since the Upstream router has a route for that NAT address pointing towards the FWSM then all should be fine.

- Jouni

Re: NAT configuration issue

Julio Carvajal — Fri, 05 Apr 2013 20:42:17 GMT

Hello Colin,

Yes, you can do that. Ofcourse that will depend of Proxy-ARP.

Even if you do not have a route you could do it with proxy-arp, without Proxy ARP then you must enter a route on the upstream router

As long as it's supported you can play with that

Remember to rate all of the helpful posts

Julio Carvajal

NAT configuration issue

Colin Higgins — Fri, 05 Apr 2013 20:53:07 GMT

OK, thanks for the quick replies!

Here is what is happening:

If I take the NAT out, I can ping the host from an upstream router

If I put it back in and try to ping the host at its natted address, I don't get any reply, although I see an entry in the ACL and if I do a show xlate interface I see the mapping.

The NAT statement is set up like this (see info above)

static (VLAN200,VLAN100) 172.25.100.100 172.29.87.133 netmask 255.255.255.255

Not sure why it isn't working

Re: NAT configuration issue

Jouni Forss — Fri, 05 Apr 2013 21:03:08 GMT

Hi,

If you have the route, NAT and ACL rules configured I cant think of many reasons for this to not work.

Is there a lot of other NAT configurations on the FWSM and could you share them?

- Jouni

NAT configuration issue

Julio Carvajal — Fri, 05 Apr 2013 21:12:51 GMT

The first question would be.

Do you have a route to the Unnused IP adtdress on the upstream router?

Remember, the route it's not required BUT you have to be sure that the router learn the MAC address of this host via the interface connecting to the FWSM ( via Proxy-arp)

You could even do a static map but the easiest way to go is to create the route as Jouni suggested

NAT configuration issue

Colin Higgins — Sat, 06 Apr 2013 01:05:02 GMT

OK, figured it out

It does indeed work: I had to clear the ARP entry AND the xlate entry on the interface for the host.

The FWSM had a bad entry--once those were cleared, the host responded to the natted address

thanks guys

NAT configuration issue

Julio Carvajal — Sat, 06 Apr 2013 01:07:06 GMT

Hello Colin,

Glad to hear that everything is working for you

Regards,