- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2011 08:34 AM - edited 03-11-2019 02:03 PM
Hi All, I am trying to implement the following scenario:
Internet------Point To Point IP-----MSFC-----(VLAN10, 10.1.1.1/24)------FWSM--(VLAN210)-------SWITCH----Host (10.1.1.50/24)
Inside VLAN 210
Outside VLAN 10
The gateway of the Host is 10.1.1.1
The FWSM context will be in transparent mode and I will do nat for the Host 10.1.1.50 with a Public IP address, let's say (212.1.1.1). The packet will will get translated in the FWSM and will be sent to the MSFC. The MSFC will send the traffic to the internet.
My problem is in the return traffic, how can I tell the MSFC that if it wants to reach the natted IP "212.1.1.1" then it should go to the FWSM context ? will a static route on the MSFC pointing to the BVI of the FWSM context is going to help here?
I have seen an example in the 4.1 configuration guide document (Figure 16-2 NAT Example: Transparent Mode) at the link below, but they had a downstream router beneath the FWSM and a route was configured on the MSFC pointing to that router, however, in my case, I do not have a downstream router. I only have a layer 2 setup behind the FWSM.
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/cfgnat_f.html
Thanks for your help in advance
Ismail
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2011 10:15 AM
Ismail
No problem. Would be very interested to know if it does work.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2011 09:05 AM
You need to point to next-hop beyond the FWSM.
I have never done this but try simply pointing it at the host IP itself ie.
ip route 212.1.1.1 255.255.255.255. 10.1.1.50
the point is to simply get the packet to the FWSM so in theory this should work.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2011 09:18 AM
Hi Jon,
Thanks indeed for your feedback. I have an implementation with almost 200 servers and with a minimum of 9 FWSM contexts. I do not think pointing a route back to each host/server will be practical ? ... right ?
I am wondering like why my scenario is not documented in their configuration guide, however, I would ike to see if there is a solid solution to my implementation.
Thanks again,
Ismail
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2011 09:21 AM
You don't need to have a route per server. All you are doing is trying to get the MSFC to send the packet to the FWSM. So you just choose a device on the other side of the FWSM ie. where the servers are. Just pick one and try it.
The reason i think it should work is because the FWSM has no idea whether there is a router behind it or not and it doesn't care so whether you use a host address or a valid router address should make no difference.
*** Edit - i'm assuming the public IPs you are using can be summarised with a subnet eg.
ip route 212.1.1.0 255.255.255.128 10.1.1.50
should work for all servers you are natting for.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2011 10:11 AM
Hi Jon,
I will try it and will let you know soon if it worked.
Thanks again for the help.
Ismail
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2011 10:15 AM
Ismail
No problem. Would be very interested to know if it does work.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2011 01:54 PM
Thanks Jon, yes it worked!!!
Actually I have also configured a route back to the BVI and it worked as well. it looks like you need to push the traffic via any means as you said!.
Thanks Again
Ismail
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2011 02:12 PM
Ismail
Thanks for letting me know and also for the rating. Glad it worked.
Jon
