Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1111
Views
0
Helpful
3
Replies

NAT Overload using CSM and FWSM

anthonykahwati
Level 1
Level 1

‎02-09-2011 12:39 AM - edited ‎03-11-2019 12:47 PM

Hello

I am using Cisco Security Manager v3.3.0 and FWSM 3.1(7)

Does anyone know the best way to nat all addresses behind the outside interface IP only, for example:

Source          10.10.10.0/24

Destination     10.20.20.1

Outside Int     10.20.20.250

I would like multiple connections from the source network to all arrive at the destination with a source address of 10.20.20.250

I've taken a look at the CSM config and believe that I should create a pool with just one IP address (that of the outside interface) and then use this pool in either a dynamic or policy dynamic nat rule.

Does this sound like the right way to do it? Does anyone know i any gotcha's that I should be aware of please????

Thanks all in advance.

Anthony

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎02-09-2011 02:19 AM

Assuming that your source subnet is in higher security level than your destination subnet, then you can create dynamic NAT as follows:

+ also assuming that the source subnet interface name is inside and the destination interface name is outside:

access-list nat-inside permit ip 10.10.10.0 255.255.255.0 host 10.20.20.1

nat (inside) 1 access-list nat-inside

global (outside) 1 interface

If you would like to NAT 10.10.10.0/24 subnet to any destination, then you can configure the following:

nat (inside) 1 10.10.10.0 255.255.255.0

global (outside) 1 interface

Then "clear xlate" after the changes.

Hope that helps.

0 Helpful

anthonykahwati
Level 1
Level 1
In response to Jennifer Halim

‎02-09-2011 03:30 AM

Hi Jennifer

Thanks for the response, it clarifies things in that it can be done, I dont suppose you know which of the options to use in the CSM GUI do you?

There is the choice of dynamic or policy dynamic. I noticed in the configuration of NAT pools there is the option to

Anthony

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to anthonykahwati

‎02-09-2011 09:04 PM

If the NAT statement is with access-list, then it would be policy dynamic.

If the NAT statement is just subnet, then it would be dynamic.

For the Global pool, it should be just the interface keyword, you don't have to configure any specific ip address if you would like to PAT it to the interface ip address.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card