Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
729
Views
0
Helpful
4
Replies

FWSM - NAT: I can't figure this out

Go to solution
jigsaw2026
Level 1
Level 1

‎07-06-2009 05:20 AM - edited ‎03-11-2019 08:51 AM

Hi experts,

I have just been asked to take over management of a FSWM in a 6509. Looking into the config, I notice that there doesn't appear to be adequate NAT statements, as I know them to be.

For example, here is the config relating to a network on the inside interface accessing a device in the web dmz:

interface Vlan351

nameif webfront

security-level 30

ip address 10.30.5.1 255.255.255.0

interface Vlan383

nameif inside

security-level 90

ip address 10.30.81.10 255.255.255.252

object-group network OFFICE-NETWORKS

network-object 10.18.0.0 255.255.0.0

access-list INSIDE-IN extended permit ip object-group OFFICE-NETWORKS host 10.30.5.34

access-group INSIDE-IN in interface inside

route product-inside 10.18.0.0 255.255.0.0 core12

Now, I would expect there to be a NAT 0 or a static entry, but there are neither (you'll have to trust me on this!). There is actually no NAT 0 entry, only numbers 1-10 for outgoing traffic from the web dmz to the outside interface.

Yet a connection still occurs:

TCP out 10.30.5.34:3389 in 10.18.10.4:2035 idle 0:00:02 Bytes 142 FLAGS - U

And NAT has taken place:

NAT from inside:10.18.10.4 to webfront:10.18.10.4 flags Ii

I can't figure out how it knows to NAT this...can anyone shed any light?

Many thanks,

J

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jigsaw2026

‎07-06-2009 05:57 AM

J

nat-control is disabled by default with version 3.1 on the FWSM so i suspect this is why you are seeing the behaviour you describe -

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/no.html#wp1585941

If nat-control was enabled on 3.1 you would see a line in your config - "nat-control"

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎07-06-2009 05:38 AM

J

It sounds like you have "no nat-control" enabled on your FWSM. With "no nat-control" enabled traffic can go from a higher to a lower security interface without a NAT rule.

Which version of FWSM code are you running.

Can you see any line in the config to do with "nat-control"

Jon

0 Helpful

Go to solution
jigsaw2026
Level 1
Level 1
In response to Jon Marshall

‎07-06-2009 05:49 AM

Hi Jon,

Many thanks for your response. Apologies, I should have said that I had already searched for no nat-control in the config but it's not there...but thinking about it, does that mean that this is set as default and that's why it's not showing? It's running version 3.1(1).

J

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jigsaw2026

‎07-06-2009 05:57 AM

J

nat-control is disabled by default with version 3.1 on the FWSM so i suspect this is why you are seeing the behaviour you describe -

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/no.html#wp1585941

If nat-control was enabled on 3.1 you would see a line in your config - "nat-control"

Jon

0 Helpful

Go to solution
jigsaw2026
Level 1
Level 1
In response to Jon Marshall

‎07-06-2009 06:32 AM

Ah OK, that must be it (although this surprises me!). Many thanks for clearing that up for me :)

J

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card