Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1006
Views
0
Helpful
3
Replies

What is the best way to bypass NAT on FWSM

rrockliff
Level 1
Level 1

‎08-17-2011 05:50 PM - edited ‎03-11-2019 02:13 PM

Hi All

I want to setup my FWSM so that the outside networks can communicate with the inside networks on their real ip address and visa versa. This is not an Internet facing Firewall and only being used to filter traffic between some secure networks, all of the users, domain controllers etc will sit on the outside, the mission critical devices will sit on the inside networks

Should i disable NAT control

or create nat rules similar to bellow using identity nat

nat (inside) 0 10.1.1.0 255.255.255.0

and

nat (outside) 0 10.1.20 255.255.255.0

Thanks for any assistance

Cheers

Richard

Labels:
0 Helpful
3 Replies 3

varrao
Level 10
Level 10

‎08-17-2011 07:20 PM

Hi,

You can do both, eith disable nat-control and just allow the traffic from outside to inside through ACL's, or use nat exempt, something like this:

Lets say your source network on outside is 10.0.0.0/8 and inside is 20.1.0.0/16, then

access-list nonat permit ip 10.0.0.0 255.0.0.0 20.1.0.0 255.255.0.0

nat (outside) 0 access-list nonat

This would translate the ip into themselves, and is the correct way to do it.

Hope this helps.

Thanks,

Varun

Please rate helpful posts

Thanks,
Varun Rao
0 Helpful

rrockliff
Level 1
Level 1
In response to varrao

‎08-17-2011 07:29 PM

Thanks for the reply,

What is the main difference between using identity nat and disabling nat control

Is there a benefit to keeping nat control on and using the nat (outside)  0  method

0 Helpful

varrao
Level 10
Level 10
In response to rrockliff

‎08-17-2011 07:34 PM

Well there is no difference, enabling nat-control and using identity nat is only helpful if you want to nat all traffic but some specific traffic or subnet need not be natted, so you use nat exempt.

Moreover nat exempt is helppful because, you can specify the destination as well, along with the source, so as in my example, if the same subnet is going to 30.0.0.0, it would need natting, so it makes things a bit flexible.

Hope this helps

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card