topic Re: FWSM NAT PROBLEM in Network Security

FWSM NAT PROBLEM

David Martinez Garcia — Mon, 11 Mar 2019 18:37:57 GMT

Hi.

I have a problem with FWSM and NAT.

I have a FWSM with two interfaces, OUTSIDE and DMZ.

I have a server on the DMZ (10.0.0.2/24) and a client on the OUTSIDE (192.168.1.2/24)

I have a static NAT like "static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2"

When a access to the public address (1.1.1.1) there are no problems.

When i access to the private address (10.0.0.2), the reply packet is always translated and this is a problem for me becasue i need to access correctly to both addresses, public and private.

Need help please!

Thanks in advance!

David

Re: FWSM NAT PROBLEM

mirober2 — Thu, 09 Sep 2010 18:11:44 GMT

Hi David,

Unfortunately this is not possible. You can setup NAT exemption for certain hosts, but a single client won't be able to access the server using both local and global IP addresses since NAT exemption on the FWSM is only based on IP address.

Hope that helps.

-Mike

Re: FWSM NAT PROBLEM

Allen P Chen — Thu, 09 Sep 2010 18:18:25 GMT

Hello,

I am not sure I understand the issue.

I have a problem with FWSM and NAT.

I have a FWSM with two interfaces, OUTSIDE and DMZ.

I have a server on the DMZ (10.0.0.2/24) and a client on the OUTSIDE (192.168.1.2/24)

I have a static NAT like "static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2"

When a access to the public address (1.1.1.1) there are no problems.

--Based on the static NAT configuration, traffic arriving on the Outside interface destined for 1.1.1.1 should be translated to the real IP of 10.0.0.2. This appears to be working.

When i access to the private address (10.0.0.2), the reply packet is always translated and this is a problem for me becasue i need to access correctly to both addresses, public and private.

--Is the traffic originating behind the Outside interface to host 10.0.0.2? This will not work, since your static NAT statement (static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2) will only allow traffic to 10.0.0.2 on the Outside interface if it is using the NAT'ed IP of 1.1.1.1.

What are you trying to achieve?

Re: FWSM NAT PROBLEM

David Martinez Garcia — Thu, 09 Sep 2010 20:47:56 GMT

Hi Allen.

The client computer (192.168.1.2) needs to acces both IP address (1.1.1.1 and 10.0.0.2).

How can achive this?

Maybe xlate bypass?

Thanks!

Re: FWSM NAT PROBLEM

Allen P Chen — Thu, 09 Sep 2010 21:31:14 GMT

Hi David,

If Xlate Bypass is enabled, then the original static statement will not take effect.

static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2

Does the client computer need to use the internal IP for a certain application on a particular port, and the external IP for other applications? If so, you can configure static policy NAT.

However, if no ports are defined, you cannot have client computer access the inside host on both IP addresses. That is not supported.

Re: FWSM NAT PROBLEM

David Martinez Garcia — Fri, 10 Sep 2010 22:44:16 GMT

CISCOOOO please, implement de STATEFUL NAT!!!

Thanks to everybofy!