- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2010 08:05 AM - edited 03-11-2019 11:50 AM
Hello Friends,
How can we disable Nat-control in FWSM, And if we disable Nat and if suppose i want to use static Nat command then is it will be effected in the configuration.
What is command in FWSM to see NAT is enable or disable,as i know in ASA it sh Nat-control command
Thanks
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2010 10:54 AM
This static translates host 172.25.52.26 behind interface PAK_IT ot itself for interface MAC_IT.
You will need a static even if you have nat control disabled if you had any existing nats or statics that were matching 172.25.52.26 behind the PAK_IT.
For example if you hada
nat (PAK_IT) 1 172.25.52.0 255.255.255.0
Then you would need a static to make it work.
I hope it helps.
PK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2010 03:10 PM
Hello Estela,
I will attempt to answer your questions:
static (PAK_IT,MAC_IT) 172.25.52.26 172.25.51.26 netmask 255.255.255.255
You asked:
there is no such 172.25.52.26 host this is a virtual IP the real IP is 172.25.51.26. so what i understand is when 172.25.51.26 want to access MAC_IT it will be translate to 172.25.52.26. This is what u mean to say??????????????? please correct me if i m wrong.
The static command translates host 172.25.51.26 to IP 172.25.52.26 when traffic traverses from the PAK_IT to the MAC_IT interface. Therefore, when host 172.25.51.26 needs to access resources behind the MAC_IT interface, the traffic will appear to have originated from IP address 172.25.52.26 to the hosts behind the MAC_IT interface. Likewise, if hosts behind the MAC_IT interface need to access resources on host 172.25.51.26, they will need to access it using the translated address (172.25.52.26) and not the real IP. The static NAT works in both directions.
The logic is similar to the example you provided:
interface vlan 2
nameif inside
security-level 100
interface vlan 3
nameif outside
security-level 0
static(inside,outside) 202.1.1.1 10.10.10.1 netmask 255.255.255.255
The above static command says host on inside (10.10.10.1) when it goes on internet it translates to 202.1.1.1
and also when users from outside want to access host on inside they will hit to 202.1.1.1 which will be translate to 10.10.10.1.
The command "nat-control" determines whether NAT is required when traffic traverses the FWSM. If nat-control is enabled, you will see the following when you execute the command "show run all | inc nat-control":
FWSM/admin# show run all nat-c
nat-control
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2010 08:23 AM
You can do "sh run all | i nat-control" to check if it is enabled.
Without nat-control enabled all hosts that do NOT match an existing nat or static will be translated to themselves.
I hope it helps.
PK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2010 10:21 AM
pkampana wrote:
You can do "sh run all | i nat-control" to check if it is enabled.
Without nat-control enabled all hosts that do NOT match an existing nat or static will be translated to themselves.
I hope it helps.
PK
Hello Pkampana,
Can u explore more please ur last line still not clear.
One PC in PAK_IT wants to access MAC_IT,access-list was OK any any on PAK_IT interface but still i was not able to access but when i put the static command it worked, Customer told me that NAT control is disable,I use the ASA command sh Nat-control and it gave me error ,
Can u explain me the below static command ???? If i m not wrong The user with 172.25.51.26 want to reach any PC (According to ACL) in 172.25.52.0 he will access by IP 172.25.52.26, Correct me if i m wrong ?????
interface Vlan51
nameif PAK_IT
security-level 25
ip address 172.25.51.254 255.255.255.0 standby 172.25.51.253
interface Vlan52
nameif MAC_IT
security-level 90
ip address 172.25.52.254 255.255.255.0 standby 172.25.52.253
static (PAK_IT,MAC_IT) 172.25.52.26 172.25.51.26 netmask 255.255.255.255
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2010 10:54 AM
This static translates host 172.25.52.26 behind interface PAK_IT ot itself for interface MAC_IT.
You will need a static even if you have nat control disabled if you had any existing nats or statics that were matching 172.25.52.26 behind the PAK_IT.
For example if you hada
nat (PAK_IT) 1 172.25.52.0 255.255.255.0
Then you would need a static to make it work.
I hope it helps.
PK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2010 12:11 PM
pkampana wrote:
This static translates host 172.25.52.26 behind interface PAK_IT ot itself for interface MAC_IT.
You will need a static even if you have nat control disabled if you had any existing nats or statics that were matching 172.25.52.26 behind the PAK_IT.
For example if you hada
nat (PAK_IT) 1 172.25.52.0 255.255.255.0
Then you would need a static to make it work.
I hope it helps.
PK
Hello Pkampana,
For Example:
interface vlan 2
nameif inside
security-level 100
interface vlan 3
nameif outside
security-level 0
static(inside,outside) 202.1.1.1 10.10.10.1 netmask 255.255.255.255
The above static command says host on inside (10.10.10.1) when it goes on internet it translates to 202.1.1.1
and also when users from outside want to access host on inside they will hit to 202.1.1.1 which will be translate to 10.10.10.1.
As u have mentioned below
This static translates host 172.25.52.26 behind interface PAK_IT ot itself for interface MAC_IT.
there is no such 172.25.52.26 host this is a virtual IP the real IP is 172.25.51.26. so what i understand is when 172.25.51.26 want to access MAC_IT it will be translate to 172.25.52.26. This is what u mean to say??????????????? please correct me if i m wrong.
For example: the user is coming from lower security level to inside higher security level so the statement will be (outside,inside).so in this case PAK_IT is outside and MAC_IT is inside.
And
You will need a static even if you have nat control disabled if you had any existing nats or statics that were matching 172.25.52.26 behind the PAK_IT.
There were no static or Nat statement for this IP But there were other static statement between PAK_IT and MAC_IT for other Ip address.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2010 06:17 AM
Hello Dear's
Can anybody helpme on the above query.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2010 07:58 AM
Hi,
Did you notice what syslog was being produced before putting in the particular static between PAC_IT and MAC_IT? This should give us a better idea of what was wrong with NAT.
Also, what does the output of "show run all | in nat-control" give you like pkampana had asked before?
Thanks and Regards,
Prapanch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2010 01:22 PM
Hello Dear's,
1 PC in 172.25.51.26 in PAK_IT want to access a subnet in 172.25.52.0 MAC_IT,The static statement is working fine and PC 172.25.51.26 is accessing MAC-IT whole subnet. Just want to explore more what this static statement means??? As i have mentioned in above mail is correct for the static statment.
Also, what does the output of "show run all | in nat-control" give you like pkampana had asked before?
I have seen by the command and Nat-control is disable,
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2010 03:10 PM
Hello Estela,
I will attempt to answer your questions:
static (PAK_IT,MAC_IT) 172.25.52.26 172.25.51.26 netmask 255.255.255.255
You asked:
there is no such 172.25.52.26 host this is a virtual IP the real IP is 172.25.51.26. so what i understand is when 172.25.51.26 want to access MAC_IT it will be translate to 172.25.52.26. This is what u mean to say??????????????? please correct me if i m wrong.
The static command translates host 172.25.51.26 to IP 172.25.52.26 when traffic traverses from the PAK_IT to the MAC_IT interface. Therefore, when host 172.25.51.26 needs to access resources behind the MAC_IT interface, the traffic will appear to have originated from IP address 172.25.52.26 to the hosts behind the MAC_IT interface. Likewise, if hosts behind the MAC_IT interface need to access resources on host 172.25.51.26, they will need to access it using the translated address (172.25.52.26) and not the real IP. The static NAT works in both directions.
The logic is similar to the example you provided:
interface vlan 2
nameif inside
security-level 100
interface vlan 3
nameif outside
security-level 0
static(inside,outside) 202.1.1.1 10.10.10.1 netmask 255.255.255.255
The above static command says host on inside (10.10.10.1) when it goes on internet it translates to 202.1.1.1
and also when users from outside want to access host on inside they will hit to 202.1.1.1 which will be translate to 10.10.10.1.
The command "nat-control" determines whether NAT is required when traffic traverses the FWSM. If nat-control is enabled, you will see the following when you execute the command "show run all | inc nat-control":
FWSM/admin# show run all nat-c
nat-control
