cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
771
Views
0
Helpful
7
Replies

NAT configuration issue

Colin Higgins
Explorer
Explorer

Is it possible to NAT an address within a subnet that does not have a corresponding interface (or loopback) on the device that is performing that NAT?

Example:

I want to NAT an address of a machine within a firewalled vlan on my FWSM like so:

Upstream router----------FWSM Vlan100--------FWSM Vlan200

172.29.89.35------------->172.29.89.36---------->172.29.87.133

I want to present 172.29.87.133 as 172.25.100.100 to traffic coming in from the upstream router.

This network 172.25.100.x does not exist anywhere on the FWSM, but the router routes to it through 172.29.89.36

Can I do this?           

2 Accepted Solutions

Accepted Solutions

Julio Carvajal
Advisor
Advisor

Hello Colin,

Yes, you can do that. Ofcourse that will depend of Proxy-ARP.

Even if you do not have a route you could do it with proxy-arp, without Proxy ARP then you must enter a route on the upstream router

As long as it's supported you can play with that

Remember to rate all of the helpful posts

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

The first question would be.

Do you have a route to the Unnused IP adtdress on the upstream router?

Remember, the route it's not required BUT you have to be sure that the router learn the MAC address of this host via the interface connecting to the FWSM ( via Proxy-arp)

You could even do a static map but the easiest way to go is to create the route as Jouni suggested

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

7 Replies 7

Jouni Forss
Mentor
Mentor

Hi,

Not sure if I understood you correctly

Do you mean that the following is true

  • Theres a network 172.29.89.x/yy between the Upstream Router and the FWSM Vlan100 interface connected to it
  • You have a network 172.29.87.x/yy on the FWSM connected to Vlan200
  • You have a route telling that a network 172.25.100.x/yy is found through the FWSM Vlan100 (172.29.89.36)
  • You want to NAT the host 172.29.87.133 located on Vlan200 to the IP address 172.25.100.100 when its crossing the FWSM towards the Upstream Router

If this is correct then I dont see any problem.

You should be able to configure the the NAT just fine. Since the Upstream router has a route for that NAT address pointing towards the FWSM then all should be fine.

- Jouni

Julio Carvajal
Advisor
Advisor

Hello Colin,

Yes, you can do that. Ofcourse that will depend of Proxy-ARP.

Even if you do not have a route you could do it with proxy-arp, without Proxy ARP then you must enter a route on the upstream router

As long as it's supported you can play with that

Remember to rate all of the helpful posts

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

OK, thanks for the quick replies!

Here is what is happening:

If I take the NAT out, I can ping the host from an upstream router

If I put it back in and try to ping the host at its natted address, I don't get any reply, although I see an entry in the ACL and if I do a show xlate interface I see the mapping.

The NAT statement is set up like this (see info above)

static (VLAN200,VLAN100) 172.25.100.100 172.29.87.133 netmask 255.255.255.255

Not sure why it isn't working

Hi,

If you have the route, NAT and ACL rules configured I cant think of many reasons for this to not work.

Is there a lot of other NAT configurations on the FWSM and could you share them?

- Jouni

The first question would be.

Do you have a route to the Unnused IP adtdress on the upstream router?

Remember, the route it's not required BUT you have to be sure that the router learn the MAC address of this host via the interface connecting to the FWSM ( via Proxy-arp)

You could even do a static map but the easiest way to go is to create the route as Jouni suggested

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Colin Higgins
Explorer
Explorer

OK, figured it out

It does indeed work: I had to clear the ARP entry AND the xlate entry on the interface for the host.

The FWSM had a bad entry--once those were cleared, the host responded to the natted address

thanks guys

Hello Colin,

Glad to hear that everything is working for you

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers