Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
2
Replies

FWSM PAT Overloading

FlorianBerthelot
Level 1
Level 1

‎01-21-2014 11:29 PM - edited ‎03-11-2019 08:34 PM

Hello,

I ahve an issue in configuring PAT on my FWSM.

I need to map many private IPs to one public IP.

Here the conf :

nat (CLT-INSIDE) 3 172.20.120. 255.255.255.0 outside

global (OUTSIDE) 3 AAA.BBB.CCC.DDD

I tyried with and without the outside keyword, and using a netmask 255.255.255.255 for my public address.

access-list CLT-INSIDE_access_in line 1 extended permit icmp any any

access-list CLT-INSIDE_access_in line 2 extended permit ip 172.20.120.0 255.255.255.0 any

(permit ip any any for test purposes only)

I cannot ping any public IP from my inside machine.

I followed my common sense and this guide :

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/nat.html#wp1158667

Any troubleshooting tips ?

Thanks a lot

Florian

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎01-21-2014 11:37 PM

Hi,

The parameter "outside" after the "nat" command should to my understanding be only needed when the destinaton interface (the one holding the "global" command ) is of lower "security-level" than the source interface (the one holding the "nat" command)

Are we talking about a new setup which you are trying to get working or an existing setup for which you are configuring a new Dynamic PAT that doesnt seem to work or get applied?

Naturally the annoying thing with this is the FWSM. Mainly because "packet-tracer" can not be used with it

Have you enabled ICMP Inspection for the FWSM so that the reply/return messages/replies for ICMP can pass the firewall? I think since you are doing PAT that you will need ICMP inspection for this.

You should be able to view the current Inspection configurations with the following command

show run policy-map

If you have the default policy configurations attached globally you could add the following lines

inspect icmp

inspect icmp error

I am not sure if we should look for any problems with the NAT configurations (some other configuration than the above that would cause problems) .

- Jouni

0 Helpful

FlorianBerthelot
Level 1
Level 1
In response to Jouni Forss

‎02-02-2014 03:16 PM

Hi jouni,

I managed to make it work without the icmp inspection, there was an IP addressing issue on this network **sights**

Configuration was OK, and thank you once again for your feedback.

Florian

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card