04-05-2013 01:19 PM - edited 03-11-2019 06:24 PM
Is it possible to NAT an address within a subnet that does not have a corresponding interface (or loopback) on the device that is performing that NAT?
Example:
I want to NAT an address of a machine within a firewalled vlan on my FWSM like so:
Upstream router----------FWSM Vlan100--------FWSM Vlan200
172.29.89.35------------->172.29.89.36---------->172.29.87.133
I want to present 172.29.87.133 as 172.25.100.100 to traffic coming in from the upstream router.
This network 172.25.100.x does not exist anywhere on the FWSM, but the router routes to it through 172.29.89.36
Can I do this?
Solved! Go to Solution.
04-05-2013 01:42 PM
Hello Colin,
Yes, you can do that. Ofcourse that will depend of Proxy-ARP.
Even if you do not have a route you could do it with proxy-arp, without Proxy ARP then you must enter a route on the upstream router
As long as it's supported you can play with that
Remember to rate all of the helpful posts
Julio Carvajal
04-05-2013 02:12 PM
The first question would be.
Do you have a route to the Unnused IP adtdress on the upstream router?
Remember, the route it's not required BUT you have to be sure that the router learn the MAC address of this host via the interface connecting to the FWSM ( via Proxy-arp)
You could even do a static map but the easiest way to go is to create the route as Jouni suggested
04-05-2013 01:41 PM
Hi,
Not sure if I understood you correctly
Do you mean that the following is true
If this is correct then I dont see any problem.
You should be able to configure the the NAT just fine. Since the Upstream router has a route for that NAT address pointing towards the FWSM then all should be fine.
- Jouni
04-05-2013 01:42 PM
Hello Colin,
Yes, you can do that. Ofcourse that will depend of Proxy-ARP.
Even if you do not have a route you could do it with proxy-arp, without Proxy ARP then you must enter a route on the upstream router
As long as it's supported you can play with that
Remember to rate all of the helpful posts
Julio Carvajal
04-05-2013 01:53 PM
OK, thanks for the quick replies!
Here is what is happening:
If I take the NAT out, I can ping the host from an upstream router
If I put it back in and try to ping the host at its natted address, I don't get any reply, although I see an entry in the ACL and if I do a show xlate interface
The NAT statement is set up like this (see info above)
static (VLAN200,VLAN100) 172.25.100.100 172.29.87.133 netmask 255.255.255.255
Not sure why it isn't working
04-05-2013 02:03 PM
Hi,
If you have the route, NAT and ACL rules configured I cant think of many reasons for this to not work.
Is there a lot of other NAT configurations on the FWSM and could you share them?
- Jouni
04-05-2013 02:12 PM
The first question would be.
Do you have a route to the Unnused IP adtdress on the upstream router?
Remember, the route it's not required BUT you have to be sure that the router learn the MAC address of this host via the interface connecting to the FWSM ( via Proxy-arp)
You could even do a static map but the easiest way to go is to create the route as Jouni suggested
04-05-2013 06:05 PM
OK, figured it out
It does indeed work: I had to clear the ARP entry AND the xlate entry on the interface for the host.
The FWSM had a bad entry--once those were cleared, the host responded to the natted address
thanks guys
04-05-2013 06:07 PM
Hello Colin,
Glad to hear that everything is working for you
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide