fwms nat outside

Antonio_1_2 · ‎04-21-2012

Hello,

If anyone can help me with this problem please

:

I have FWSM Firewall Version 3.2.

When I want to use

nat (DMZ) 1 10.0.0.0 255.0.0.0 outside

global (INSIDE) 1 192.168.1.1 netmask 255.255.255.255

in order to use dynamic NAT from DMZ to INSIDE all other translation rules are not functioning from DMZ

i.e.all STATIC and NAT rules

static (INSIDE, STATIC) 192.168.0.0. 192.168.0.0. netmask 255.255.0.0.

nat (DMZ) 2 10.0.0.0 255.0.0.0

global (OUSIDE) 2 interface

I thought that static nat has priority but it seems that nat with outside statement runs over all other translations.

when I remove no nat (DMZ) 1 10.0.0.0 255.0.0.0 outside everything goes back to normal and I can ping everything from DMZ as before

Does anyone have experience with this?

Am I doing something wrong or this is normal behavior?

Regards,

A.

Jouni Forss · ‎04-22-2012

Hi,

All I can say is that I suggest using the NAT/GLOBAL statements only for the interfaces that "head out" of your local networks.

I never do PAT configurations between my own interfaces. Like DMZs and different LAN segments. I only do the PAT configurations towards OUTSIDE and perhaps some 3rd party connections.

Why not just allow the traffic between INSIDE and DMZ unnated?

- Jouni

Antonio_1_2 · ‎04-23-2012

Hi,

I use PAT so that I don't need to configure static routes on a large amount devices in LAN toward DMZ network.

Those LAN devices don't have default route toward firewall but to other router.

So in order for LAN devices to reach DMZ network I just need to configure PAT from DMZ to some LAN IP address.

Regards,

A.