Mate,

Can you please send me a link that explains this? As this is the 1st time to hear this.

I believe that if nat-control is disabled, no nat is going to take place on the firewall.

However, if nat-control is enabled and yet, some IP addresses need not to be natted, you may use nat exclude.

Cheers mate.

The link is as follows

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/intfce_f.pdf

Please see page 6-1.

Minor correction..

Host in DMZ1 connects to any host routed through DMZ2 (i.e. could be multiple hops away), the IP address of the host from DMZ1 should be NAT'ed to for e.g. 3.3.3.1

Also, I would like the NAT to occur on network level and not host.

Similar example in router IOS would be

ip nat inside source static network 192.168.10.0 172.16.1.0 /24

This caters to bi-directional NAT'ing. I would like to achieve the same in FWSM.

What are the network IPs used for DMZ1, DMZ2? And to what do you want DMZ1 to be NATed to? (please use X.X.X.0/24 for any with public IPs)

I also need the current static NAT configs on your FWSM.

DMZ1, DMZ2 subnet are for db server communications. As mentioned, DMZ1 should be NAT'ed to 3.3.3.0/24

There are no public IPs involved. Its all internal NAT'ing.

Currently there are no NAT configs on FWSM. Plain and simple case.

The example I gave of Router IOS was for some other network (just used as an example).

Configure static NAT on the firewall, ping any host in DMZ 2 from DMZ 1, and let us see the output of the "show log" command.

static (DMZ2,DMZ1) tcp 1.1.1.120 ftp 2.2.2.120 ftp netmask 255.255.255.255

> show log

%FWSM-6-305011: Built static tcp translation from DMZ2:2.2.2.120/21 to DMZ1:1.1.1.120/21

%FWSM-6-302013: Built inbound TCP connection 145674682330124245 for DMZ1:1.1.1.10/36217 (1.1.1.10/36217) to DMZ2:1.1.1.120/21 (2.2.2.120/21)