Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
745
Views
0
Helpful
2
Replies

Identity Nat on FWSM

ronald.spicka
Level 1
Level 1

‎03-20-2008 10:37 AM - edited ‎03-11-2019 05:20 AM

Hello,

I am using a fwsm with 3.2.5 Release and i found some strange static-nat behavior.

My nat configuration looks like this:

static (inside,outside) 172.23.253.6 172.23.0.100 netmask 255.255.255.255

route inside 172.23.0.0 255.255.0.0 x.y.z.v

Everything works fine for some time, but then the fwsm creates a identity xlate which looks like this:

NAT from inside:172.23.0.100 to outside:172.23.251.6 flags si

NAT from inside:172.23.251.6 to outside:172.23.251.6 flags Ii

Then connections doesn't work any more, because the 172.23.251.6 is no longer translated to 172.23.0.100

If i remove the route, this identity xlate entry is not created.

So for me it's some kind of bug, because the pix has no reason to create a second xlate entry if i am using statics

From pix 6.3 (http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694 , look to nat order)

So the question is:

Is this behavior right? Or has cisco changed the nat order of their firewalls? Why should a route be preferd to a static nat entry?

Thanks a lot & Br

Ronald

Labels:
0 Helpful
2 Replies 2

htarra
Level 4
Level 4

‎03-26-2008 12:42 PM

With FWSM version 3.x or higher, the blade, by default, will route traffics so you do NOT have to do anything. You still need ACL to go from low to high but NOT from high to low. If you still use fwsm version 2.x, you still NEED to perform no NAT to go from high to low.The static statement works by creating pre-existing translations, so that when traffic enters, it matches an

existing translation. If you translate the entire class B network, traffic destined for the farm would match translations for both the farm and the admin networks. This would produce unexpected and unpredictable behavior.

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/pxpage.html

http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/configuration/guide/nat.html

0 Helpful

cisco24x7
Level 6
Level 6
In response to htarra

‎03-26-2008 05:09 PM

"With FWSM version 3.x or higher, the blade, by default, will route traffics so you do NOT have to do anything"

Yes that is true BUT.....

If you have, let say VLAN100 (security 100),

VLAN2 (security level 0) and VLAN3 (security

level 10) and you have the following:

nat (vlan100) 1 0 0

global (vlan2) 1 interface

Once you do that, you have to do the following if you want to go from vlan100 to

vlan3 without any translation:

static (vlan100,vlan3) x.x.x.x x.x.x.x net/24

In other words, you're back to version 2.x

over again.

my 2c.

CCIE Security

static (vlan100,vlan3) 1.x.x

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card