cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
730
Views
0
Helpful
4
Replies

FWSM - NAT: I can't figure this out

jigsaw2026
Level 1
Level 1

Hi experts,

I have just been asked to take over management of a FSWM in a 6509. Looking into the config, I notice that there doesn't appear to be adequate NAT statements, as I know them to be.

For example, here is the config relating to a network on the inside interface accessing a device in the web dmz:

interface Vlan351

nameif webfront

security-level 30

ip address 10.30.5.1 255.255.255.0

interface Vlan383

nameif inside

security-level 90

ip address 10.30.81.10 255.255.255.252

object-group network OFFICE-NETWORKS

network-object 10.18.0.0 255.255.0.0

access-list INSIDE-IN extended permit ip object-group OFFICE-NETWORKS host 10.30.5.34

access-group INSIDE-IN in interface inside

route product-inside 10.18.0.0 255.255.0.0 core12

Now, I would expect there to be a NAT 0 or a static entry, but there are neither (you'll have to trust me on this!). There is actually no NAT 0 entry, only numbers 1-10 for outgoing traffic from the web dmz to the outside interface.

Yet a connection still occurs:

TCP out 10.30.5.34:3389 in 10.18.10.4:2035 idle 0:00:02 Bytes 142 FLAGS - U

And NAT has taken place:

NAT from inside:10.18.10.4 to webfront:10.18.10.4 flags Ii

I can't figure out how it knows to NAT this...can anyone shed any light?

Many thanks,

J

1 Accepted Solution

Accepted Solutions

J

nat-control is disabled by default with version 3.1 on the FWSM so i suspect this is why you are seeing the behaviour you describe -

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/no.html#wp1585941

If nat-control was enabled on 3.1 you would see a line in your config - "nat-control"

Jon

View solution in original post

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

J

It sounds like you have "no nat-control" enabled on your FWSM. With "no nat-control" enabled traffic can go from a higher to a lower security interface without a NAT rule.

Which version of FWSM code are you running.

Can you see any line in the config to do with "nat-control"

Jon

Hi Jon,

Many thanks for your response. Apologies, I should have said that I had already searched for no nat-control in the config but it's not there...but thinking about it, does that mean that this is set as default and that's why it's not showing? It's running version 3.1(1).

J

J

nat-control is disabled by default with version 3.1 on the FWSM so i suspect this is why you are seeing the behaviour you describe -

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/no.html#wp1585941

If nat-control was enabled on 3.1 you would see a line in your config - "nat-control"

Jon

Ah OK, that must be it (although this surprises me!). Many thanks for clearing that up for me :)

J

Review Cisco Networking for a $25 gift card