cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
1333
Views
0
Helpful
7
Replies

Implementing Transparent FWSM with NAT (Code 4.1)

conceptzone
Level 1
Level 1

Hi All, I am trying to implement the following scenario:

Internet------Point To Point IP-----MSFC-----(VLAN10, 10.1.1.1/24)------FWSM--(VLAN210)-------SWITCH----Host (10.1.1.50/24)

Inside VLAN 210

Outside VLAN 10

The gateway of the Host is 10.1.1.1

The FWSM context will be in transparent mode and I will do nat for the Host 10.1.1.50 with a Public IP address, let's say (212.1.1.1). The packet will will get translated in the FWSM and will be sent to the MSFC. The MSFC will send the traffic to the internet.

My problem is in the return traffic, how can I tell the MSFC that if it wants to reach the natted IP "212.1.1.1" then it should go to the FWSM context ? will a static route on the MSFC pointing to the BVI of the FWSM context is going to help here?

I have seen an example in the 4.1 configuration guide document (Figure 16-2     NAT Example: Transparent Mode) at the link below, but they had a downstream router beneath the FWSM and a route was configured on the MSFC pointing to that router, however, in my case, I do not have a downstream router. I only have a layer 2 setup behind the FWSM.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/cfgnat_f.html

Thanks for your help in advance

Ismail

1 Accepted Solution

Accepted Solutions

Ismail

No problem. Would be very interested to know if it does work.

Jon

View solution in original post

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

You need to point to next-hop beyond the FWSM.

I have never done this but try simply pointing it at the host IP itself ie.

ip route 212.1.1.1 255.255.255.255. 10.1.1.50

the point is to simply get the packet to the FWSM so in theory this should work.

Jon

Hi Jon,

Thanks indeed for your feedback. I have an implementation with almost 200 servers and with a minimum of 9 FWSM contexts. I do not think pointing a route back to each host/server will be practical ? ... right ?

I am wondering like why my scenario is not documented  in their configuration guide, however, I would ike to see if there is a solid solution to my implementation.

Thanks again,

Ismail

You don't need to have a route per server. All you are doing is trying to get the MSFC to send the packet to the FWSM. So you just choose a device on the other side of the FWSM ie. where the servers are. Just pick one and try it.

The reason i think it should work is because the FWSM has no idea whether there is a router behind it or not and it doesn't care so whether you use a host address or a valid router address should make no difference.

*** Edit - i'm assuming the public IPs you are using can be summarised with a subnet eg.

ip route 212.1.1.0 255.255.255.128 10.1.1.50 

should work for all servers you are natting for.

Jon

Hi Jon,

I will try it and will let you know soon if it worked.

Thanks again for the help.

Ismail

Ismail

No problem. Would be very interested to know if it does work.

Jon

Thanks Jon, yes it worked!!!

Actually I have also configured a route back to the BVI and it worked as well. it looks like you need to push the traffic via any means as you said!.

Thanks Again

Ismail

Ismail

Thanks for letting me know and also for the rating. Glad it worked.

Jon

Review Cisco Networking for a $25 gift card