Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1103
Views
0
Helpful
2
Replies

FWSM (multiple context) how to NAT traffic from within the context having outside interface private IP

Maurizio_C
Level 1
Level 1

‎06-09-2011 03:01 AM - edited ‎03-12-2019 06:02 PM

Dear All.

We're working on FWSM [FWSM Firewall Version 4.1(5)] in a multiple context, and routed mode.

In the current design, it's forecast to deploy each context using only private ip, included the outside interface.

In term of connectivity and functionality we don't see any problem, and our tests confirm the correct funcionality...  even if we're getting hard to make some simple check at L3 (icmp, traceroute) from the Context to Public outside destinations (formaly Internet)...

The issue we have is that having interface outside with private IP configured, we are not able to apply a correct NAT (inside the Context) for all traffic generate from within the FWSM context only, this happen when we want test the reachability of some public internet sites... using a simple "ping" or "traceroute" to the public destination..

Of course, this can be fixed applying the NAT on the router edge connect between internet and the context... but we want avoid this last solution..

So our question is very easy: have  you suggestions/solutions on to fix this problem within the context ?.. Thank you very much in advance. Best regards. Maury

Labels:
0 Helpful
2 Replies 2

brquinn
Level 1
Level 1

‎06-10-2011 06:58 AM

Maury,

If I'm understanding you correctly, your FWSM is configured with private IP addressing, but it is still being configured with NAT. If this is the case, then you still need to make sure you route the correct public IP subnets to your FWSM's outside interface. Your NAT does not necessarily need to be configured in the same subnet as the outside IP, but the routing in the rest of your network still needs to be correct.

Do you have shared interfaces between contexts? Can you send us your NAT configuration for review? (filter it as necessary)

Thanks,

Brendan

0 Helpful

Maurizio_C
Level 1
Level 1
In response to brquinn

‎06-12-2011 06:28 AM

Thanks a lot Brendan for your quick replay...

.. My apologize for my language....

.. I recognize that I've named "traceroute"... but it's a funcionality not available within the context... again sorry for my error !.

Your understanding is not really focused on my issue, even if it is a confirmation on our design, and I confirm that in our design, your sentence is the correct one to have a Multiple context working properly with the NAT... but.. it's works only  for all destination behind the firewall... ex: DMZ, INSIDE ecc... My problem is related to the Context himself, let me give you our scenario: when I am the FW's administrator, and I'm logged inside the Context, I need to send a ICMP (ping) to a internet (Ping from the Context's CLI), just to verify the network connectivity.... So, If i have the outside interface with a public ip address, than, I've no problem... but due to here we have outside interface with private ip, I should apply a NAT for that oustide interface... within the context, I've tried with make an nat like:  "static(outside,outside) public ip, outside private address" .. with no success... One solution can be set a NAT for a loopback interface...but I believe the it cannot be done on the firewall ...!? Correct me if i'm in error.. and finally: we are not using a "shared vlan" .... For the configuration, due to we have no  hosts behind the firewall, at this moment, I cannot send any NAT configuration, we haven't it for the moment.... you can image our scenario like the follow...

  ....I woud like give you my thank for your support. Best regards.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card