11-20-2013 01:32 PM - edited 03-11-2019 08:07 PM
I'm very new to the 9.1 code and struggling with the new NAT translation. I'll try to explain the best I can what I'm wanting to do. For testing I can do everything via CLI or ASDM but in the end I will have to convert any command over to Cisco Security Manager because that is what we use to manage all our firewalls.
Currently we have a public IP address lets say x.x.x.5. I have another public IP x.x.x.6 that I want all my internal workstation to use for going out to the Internet. Basically when I go to whatsmyip from a workstation I want it to show x.x.x.6.
Normally in 8.2 code I would use a pool on the public interface with x.x.x.6 and assign in the internal subnet's to it. However in 9.1 code it not as simple at least from what I'm seeing.
What I would like to do is so something like this:
Private Interface subnet 172.28.0.0 (LAN1) to access the Internet via Public interface nat x.x.x.6 (Public_Nat)
Private Interface subnet 172.27.0.0 (LAN2) to access the Internet via Public interface nat x.x.x.6 (Public_Nat)
Here is my current nat:
nat (private,public) source static LAN1 LAN1 destination static Public_Nat Public_Nat
Here is the packet-trace and as you can see in Phase 3 Nat bypasses the my rule and uses per-session.
firewall01# packet-tracer input private tcp 172.28.2.1 1024 8.8.8.8 2334
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 public
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_private in interface private
access-list CSM_FW_ACL_private extended permit ip object Server_Vlan any4
access-list CSM_FW_ACL_private remark Allow All Traffic on the Internet Vlan outbound
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IDS
Subtype:
Result: ALLOW
Config:
class-map IPSTraffic
match any
policy-map CSM_PM_1
class IPSTraffic
ips inline fail-open
service-policy CSM_PM_1 interface public
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 244, packet dispatched to next module
Result:
input-interface: private
input-status: up
input-line-status: up
output-interface: public
output-status: up
output-line-status: up
Action: allow
Any help would be appreciated!
Solved! Go to Solution.
11-20-2013 03:17 PM
Here is the correct configuration:
enable
config t
no nat (private,public) source static LAN1 LAN1 destination static Public_Nat Public_Nat
object network Public_Nat_6
host X.X.X.6
nat (private,public) after-auto source dynamic any Public_Nat_6
11-20-2013 03:17 PM
Here is the correct configuration:
enable
config t
no nat (private,public) source static LAN1 LAN1 destination static Public_Nat Public_Nat
object network Public_Nat_6
host X.X.X.6
nat (private,public) after-auto source dynamic any Public_Nat_6
11-20-2013 05:33 PM
Jumora,
Thank you for the quick reply, I have tried your config and it looks like you have put me on the right track. Really appreciate the help!
11-20-2013 05:40 PM
I am sorry but I am not CSM knowledgeable but if you can do reverse engineering the configuration should be something similar to what you see on the ASDM. Regarding the object I would suggest to keep the separate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide