cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1165
Views
0
Helpful
3
Replies

ASA 5520 to Watchguard XTM820

sonitadmin
Level 1
Level 1

Have a client who has decided to move from their Cisco ASA 5520 to a new Watchguard XTM820 firewall.  Worked through the config and got most of the rules moved over to the new device and working.  Running into some problems with the DMZ interface though.  On the ASA they had the following lines in the config for access to a specific server:

access-list dmz_Austin_access_in extended permit ip 192.168.0.0 255.255.252.0 host 128.1.4.56

access-list dmz_Austin_nat0_outbound extended permit ip 192.168.0.0 255.255.252.0 host 128.1.4.56

The DMZ interface on the firewall was 192.168.0.249/22 and is the same on the new Watchguard.  I have created a rule on the Watchguard to allow traffic from DMZ to 128.1.4.56 but it does not work. 

I've noticed there is a static route setup on the ASA:

route inside 128.1.0.0 255.255.0.0 10.0.15.250 1

so I added this to the Watchguard as well, but still no luck. 

I am confused on the nat0 command above and exactly what it does.  Also I'm confused on the following commands and what they do. 

global (outside) 101 interface

global (inside) 102 10.0.15.252

nat (inside) 101 128.1.0.0 255.255.0.0

Is the nat (inside) 101 command above something I need on the Watchguard and something that's preventing the traffic from getting through?  Very confused and would appreciate any help that I can get here.

Thanks!

3 Replies 3

Anu M Chacko
Cisco Employee
Cisco Employee

Hi,

The access-list "dmz_Austin_nat0_outbound" is called in a nat 0 statement. This means that the traffic specified in this access-list will be exempted from NAT-ing.

global (outside) 101 interface

nat (inside) 101 128.1.0.0 255.255.0.0

The above commands say "whenever traffic comes from the network 128.1.0.0/16 to the inside interface, it will be PAT-ted to the outside interface IP address as it goes out."

global (inside) 102 10.0.15.252

The above command must be matched to a nat command as well like the nat 101 commands.

Here is a doc:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Hope this helps!

Regards,

Anu

Thank you so much for your reply. 

So are these:

global (outside) 101 interface

nat (inside) 101 128.1.0.0 255.255.0.0

rules that I need to add on the Watchguard then?  If these are missing, is that what is preventing the traffic from passing currently?

Hi,

No problem!

I can tell you what those commands mean on a Cisco ASA. It means that all traffic exiting from the higher security level interface(from n/w 128.1.0.0 network) will get  translated to the outside interface(lower security level) IP address as it goes out. The reply for the request that went out will come back since a session was created as traffic went out.

Hope thsis is clear.

Regards,

Anu

P.S. Please mark this question as answered if it has been resolved. Do rate helpful posts!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: