06-18-2013 05:22 AM - edited 03-11-2019 06:59 PM
Hi,
I am facing an issue trying to understand the traffic flow on FWSM, hopefully someone can help here.
We have a Web Server which is on our private network. We are also allowing access to it from Internet. There are two DNS entries, one for local and one for public. There is a “static” statement on Firewall which is doing translation of Public (outside) to Private (Inside). The “static” NAT is defined for OUTSIDE to INSIDE interface. It is working fine.
Now the problem is, when the internal user tries to use the external URL it gets no response. Basically the traffic is initiated from INSIDE and it goes to OUTSIDE where it is NATTED and then there is no response. Since these interfaces cannot be on same security level the command “same-security-traffic permit {inter-interface | intra-interface}” cannot be used. The ACLs are permitting on both sides.
Any suggestions how to achieve this?
06-18-2013 05:35 AM
Hi,
By default you cant connect to a public IP address that is used as a NAT IP address on some other interface than where your actual connecting hosts are located at. In this case the users are located behind INSIDE while the actual NAT IP address is located on OUTSIDE.
You have a few options to access a server from your network behind the firewall with the public URL.
For the last setup you would basicly would have a basic NAT configuration something like this
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0
Of the below configuration the first line enable Dynamic PAT for the LAN users to the "inside" IP address of the firewall. This will make sure that the traffic flow correctly in the special NAT setup we are doing.
The second configuration line configured the local server IP address to translate to the public IP address also towards the local network
The last command enable the traffic to enter and leave the same interface
global (inside) 1 interface
static (inside,inside)
same-security-traffic permit intra-interface
Hope this helps
Please do remember to mark the reply as the correct answer if it answered your question.
- Jouni
06-18-2013 06:02 AM
Sorry, I did not get it. Are you suggesting to aply both sets of commands? Do I need to include all my Local networks in thhs nat (inside) ?
06-18-2013 06:07 AM
Hi,
The exact configuration format depends on your current configurations which I have not seen.
The basic idea is to configure source address translation (Dynamic PAT) that uses the local interfaces IP address as the PAT address. This will ensure the traffic gets forwarded back to the firewall correctly when the server replys.
The destination NAT is handled with the "static" configuration mentioned.
The Dynamic PAT configuration really depdends on your environment and its networks and current "global" and "nat" configurations on the firewall.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide