NAT Problem - FWSM

Anderson Ribeiro · ‎12-17-2012

Hi guys,

I have a problem in FWSM where the following happens:

- I have 2 instances called fW01 and fw02.

- When I create an interface in the same VLAN in the 2 instances, the NAT does not work.

Upgraded the FWSM version 2.3 to 4.1 to try to fix this problem, but still does not work.

They would know tell me if it is some configuration problem or is it a bug?

Thank you.

Jouni Forss · ‎12-17-2012

Hi,

Can you share some configurations for us to go through?

Sadly I've gotten a bit rusty on the FWSM side and mostly used new ASAs

Can you share the version of the configuration before and after the change you are trying to do?

Is the situation the following

You have a single FWSM running in multiple context mode
You have 2 Security Contexts on that FWSM
You are trying to add a single created Vlan interface to both Security Contexts?

- Jouni

Anderson Ribeiro · ‎12-17-2012

Jouni,

Correct

You have a single FWSM running in multiple context mode - YES
You have 2 Security Contexts on that FWSM - YES
You are trying to add a single created Vlan interface to both Security Contexts? - YES

Follow below the configuration:

FW01

interface Vlan12

nameif NET-LAN

security-level 100

ip address 10.10.10.1 255.255.255.0

!

access-list NET-LAN extended permit ip 10.10.10.0 255.255.255.0 10.30.0.0 255.255.255.0

access-list NET-LAN-INTERNET extended permit ip 10.10.10.0 255.255.255.0 10.30.0.0 255.255.255.0

!

nat (NET-LAN) 10 access-list NET-LAN-INTERNET

!

global (DMZ-PUBLIC-ROB) 10 10.30.0.10

____________________________________________________________________________________________

FW02

interface Vlan12

nameif NET-LAN

security-level 100

ip address 10.10.10.2 255.255.255.0

!

access-list NET-LAN extended permit ip 10.10.10.0 255.255.255.0 10.31.0.0 255.255.255.0

access-list NET-LAN-INTERNET extended permit ip 10.10.10.0 255.255.255.0 10.31.0.0 255.255.255.0

!

nat (NET-LAN) 10 access-list NET-LAN-INTERNET

!

global (DMZ-PUBLIC-CAR) 10 10.31.0.10

_____________________________________________________________________________________________

In this case the NAT doesn't work.

Thanks!!

Jouni Forss · ‎12-17-2012

I'm not quite sure if I'm getting the whole picture of the network but the Policy NAT configuration doesnt seem that complex.

Seems you have the following setup

The mentioned 2 Security Context are connected by Vlan12 to the same NET-LAN
The mentioned 2 Secuirty Context have different DMZ networks behind them
In both cases you want to Policy NAT the traffic coming from the NET-LAN to the DMZ in question so that the given NAT address belongs to the same network as the actual destination host?
On the NET-LAN side you probably have static routes pointing towards each context for the DMZ networks.

If this is the case can you specify how you confirm that the NAT is not working?

Are you taking the "show xlate" output for the connections? Can you get some log messages of the connection attempts?

Only NAT rule that should override the Policy NAT (to my understanding) is either a more specific Policy NAT rule or NAT0/NAT Exempt rule. Going between the old NAT and new NAT does get me confused sometimes so I'm not 100% sure.

- Jouni