09-09-2010 09:50 AM - edited 03-11-2019 11:37 AM
Hi.
I have a problem with FWSM and NAT.
I have a FWSM with two interfaces, OUTSIDE and DMZ.
I have a server on the DMZ (10.0.0.2/24) and a client on the OUTSIDE (192.168.1.2/24)
I have a static NAT like "static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2"
When a access to the public address (1.1.1.1) there are no problems.
When i access to the private address (10.0.0.2), the reply packet is always translated and this is a problem for me becasue i need to access correctly to both addresses, public and private.
Need help please!
Thanks in advance!
David
Solved! Go to Solution.
09-09-2010 02:31 PM
Hi David,
If Xlate Bypass is enabled, then the original static statement will not take effect.
static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2
Does the client computer need to use the internal IP for a certain application on a particular port, and the external IP for other applications? If so, you can configure static policy NAT.
However, if no ports are defined, you cannot have client computer access the inside host on both IP addresses. That is not supported.
09-09-2010 11:11 AM
Hi David,
Unfortunately this is not possible. You can setup NAT exemption for certain hosts, but a single client won't be able to access the server using both local and global IP addresses since NAT exemption on the FWSM is only based on IP address.
Hope that helps.
-Mike
09-09-2010 11:18 AM
Hello,
I am not sure I understand the issue.
I have a problem with FWSM and NAT.
I have a FWSM with two interfaces, OUTSIDE and DMZ.
I have a server on the DMZ (10.0.0.2/24) and a client on the OUTSIDE (192.168.1.2/24)
I have a static NAT like "static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2"
When a access to the public address (1.1.1.1) there are no problems.
--Based on the static NAT configuration, traffic arriving on the Outside interface destined for 1.1.1.1 should be translated to the real IP of 10.0.0.2. This appears to be working.
When i access to the private address (10.0.0.2), the reply packet is always translated and this is a problem for me becasue i need to access correctly to both addresses, public and private.
--Is the traffic originating behind the Outside interface to host 10.0.0.2? This will not work, since your static NAT statement (static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2) will only allow traffic to 10.0.0.2 on the Outside interface if it is using the NAT'ed IP of 1.1.1.1.
What are you trying to achieve?
09-09-2010 01:47 PM
Hi Allen.
The client computer (192.168.1.2) needs to acces both IP address (1.1.1.1 and 10.0.0.2).
How can achive this?
Maybe xlate bypass?
Thanks!
09-09-2010 02:31 PM
Hi David,
If Xlate Bypass is enabled, then the original static statement will not take effect.
static (DMZ,OUTSIDE) 1.1.1.1 10.0.0.2
Does the client computer need to use the internal IP for a certain application on a particular port, and the external IP for other applications? If so, you can configure static policy NAT.
However, if no ports are defined, you cannot have client computer access the inside host on both IP addresses. That is not supported.
09-10-2010 03:44 PM
CISCOOOO please, implement de STATEFUL NAT!!!
Thanks to everybofy!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide