topic FWSM: nat 0, nat 1 in Network Security

FWSM: nat 0, nat 1

s.srivas — Mon, 11 Mar 2019 11:39:17 GMT

Hello,

I'm trying to get the incoming traffic via nat (inbound) 0 to pass the FWSM. I also have nat (inbound) 1 that is working ok on the same incoming interface.

How do I get nat 0 (no natting via this route) to allow incoming traffic on the inbound interface to outbound interface.

Config extracts:

FWSM Version 2.3(4)

same-security-traffic permit inter-interface

global (outbound) 1 10.192.3.83

nat (inbound) 0 access-list no_nat

nat (inbound) 1 access-list Proxy_nat

access-group outbound_access_in in interface outbound

access-group inbound_access_in in interface inbound

Re: FWSM: nat 0, nat 1

Alan Huseyin Kayahan — Wed, 05 Dec 2007 12:52:39 GMT

lets say that you have a 10.10.10.0 network inside and you dont want this address translated when its destination is 10.192.3.120. Then all you need is following

access-list no_nat permit ip 10.10.10.0 255.255.255.0 host 10.192.3.120

Regards

Re: FWSM: nat 0, nat 1

s.srivas — Wed, 05 Dec 2007 13:47:35 GMT

Thanks,

I'll try to test the following

access-list no_nat extended permit ip any any

Referrencing

http://www.cisco.com/en/US/partner/docs/security/fwsm/fwsm31/configuration/guide/nwacc_f.html

However, I already have the followings

and can not identify what else is causing the problem.

config extracts:

access-list no_nat extended permit ip TS-Proxy 255.255.255.224 GIN2_mgmt1 255.255.255.0

access-list no_nat extended permit ip SB-Proxy 255.255.255.224 GIN2_mgmt1 255.255.255.0

access-list no_nat extended permit ip TS-Proxy 255.255.255.224 10.0.0.0 255.0.0.0

access-list no_nat extended permit ip SB-Proxy 255.255.255.224 10.0.0.0 255.0.0.0

access-list no_nat extended permit ip GIN2_mgmt1 255.255.255.0 TS-Proxy 255.255.255.224

name 10.192.1.224 SB-Proxy

name 10.192.2.224 TS-Proxy

network-object TS-Proxy 255.255.255.224

network-object SB-Proxy 255.255.255.224

Re: FWSM: nat 0, nat 1

Alan Huseyin Kayahan — Wed, 05 Dec 2007 14:38:40 GMT

following acl has no use, and all other nat statements will be ignored. So dont use the following

access-list no_nat extended permit ip any any

I couldnt browse the link you submit, would you please describe what you want to achieve?

Re: FWSM: nat 0, nat 1

s.srivas — Wed, 05 Dec 2007 15:57:00 GMT

Yes, any any will be no use. I realised that as soon as I sent the previous reply. So I'm planning to include the following to the existing ACL.

access-list no_nat extended permit ip any 10.230.0.0 255.255.255.0

(What I'm trying to acheive is:

Through tunnel 0 and tunnel 1 in the front end router, make the front-lower FWSM to use

nat 1 to route to a real ISP with real addresses

nat 0 to route to a private ISP with 10.x sddresses. (Ours is 10. address too but not overlapping.

Incoming traffic from fe-Router is apparently hiting the FWSM inbound, but can not get through the FWSM.)

Re: FWSM: nat 0, nat 1

Alan Huseyin Kayahan — Wed, 05 Dec 2007 19:53:08 GMT

So, lets say that

ip address outside aRealIPfromISP

access-list no_nat extended permit ip any 10.230.0.0 255.255.255.0

nat (inside) 0 access-list no_nat

nat (inside) 1 10.x.x.x 255.255.255.0 -> your inside network

global (outside) 1 interface

In above config, traffic to 10.230.0.0/24 wont be NATed , and rest of the traffic from your inside network will flow through your ISP

Re: FWSM: nat 0, nat 1

s.srivas — Thu, 06 Dec 2007 10:36:49 GMT

No,

The nat 0 takes the tunnel 0 to outside private ISP. (They will do the necessary natting)

The nat 1 takes the tunnel 1 to outside to the real ISP.

I have not changed any configs yet, as the acces-list already allows (in name format).

ping from FWSM to 10.230.0.1 works ok.

only problem is traffic initiated in 10.230.0.0 is dropped (or some thing happens) before entering FWSM.