05-18-2011 10:56 AM - edited 03-11-2019 01:35 PM
I have attached a drawing of our network. We have two 6509's connected to two Cisco 2811 (onsite) that the ISP owns.
I am trying to get one side up and running before I worry about redundancy and so forth. For this reason I have set all the HSRP priorities to 110 on the left 6509. I have HSRP running between the ISP routers and VLAN 101 of the 6509's. This works as I can ping yahoo and google just fine from the 6509 switch. I can't get from my laptop connected to VLAN 23 to the internet. It doesn't even attempt to NAT as there are no translations. I have public address assigned by my ISP configured between the ISP routers and my 6509 on VLAN 101. I then have the public address assigned to VLAN 100. I configured VLAN 100 on the switch and VLAN 100 on the FWSM with the IP address in the drawing. I have my NAT statements and route in my FWSM according to the drawing as well. On the switch, I have a default route to X.X.12.19 which is the VIP between the ISP routers. I can reach anything on the inside of my network, including the old network addresses from VLAN 23.
1. Is it best to do NAT at the FWSM or should I do it on the MSFC connected to the ISP routers?
2. If I have to configur NAT at the FWSM, does this requires me to extend the public network down to the FWSM?
3. I'll take any examples you may have as I am stuck.
Thanks in advance.
05-18-2011 06:02 PM
Hello,
1. Most people configure NAT on firewalls, so the majority would configure NAT on the FWSM. However, this is really up to how you wish to design the network.
2. Again, this is up to your network design.
Here is a configuration example for the FWSM. The 192.168.1.0/24 subnet in this example is the "outside", you can simply substitue that for the address range assigned by your ISP.
Hope this helps.
05-18-2011 09:45 PM
After reading up some more on the FWSM and 6509, I have decided it would be best to design the network so the MSFC is on the inside. This would allow me to NAT on the FWSM and then connected the FWSM directly to the ISP routers. This way I do not have to extend the public network further. This also means I don't have to request additional public IP's from the ISP. I will recreate my diagram and make another attempt at it. I will post the results in the morning.
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide