12-17-2012 03:01 AM - edited 03-11-2019 05:37 PM
Hi guys,
I have a problem in FWSM where the following happens:
- I have 2 instances called fW01 and fw02.
- When I create an interface in the same VLAN in the 2 instances, the NAT does not work.
Upgraded the FWSM version 2.3 to 4.1 to try to fix this problem, but still does not work.
They would know tell me if it is some configuration problem or is it a bug?
Thank you.
12-17-2012 03:16 AM
Hi,
Can you share some configurations for us to go through?
Sadly I've gotten a bit rusty on the FWSM side and mostly used new ASAs
Can you share the version of the configuration before and after the change you are trying to do?
Is the situation the following
- Jouni
12-17-2012 04:00 AM
Jouni,
Correct
Follow below the configuration:
FW01
interface Vlan12
nameif NET-LAN
security-level 100
ip address 10.10.10.1 255.255.255.0
!
access-list NET-LAN extended permit ip 10.10.10.0 255.255.255.0 10.30.0.0 255.255.255.0
access-list NET-LAN-INTERNET extended permit ip 10.10.10.0 255.255.255.0 10.30.0.0 255.255.255.0
!
nat (NET-LAN) 10 access-list NET-LAN-INTERNET
!
global (DMZ-PUBLIC-ROB) 10 10.30.0.10
____________________________________________________________________________________________
FW02
interface Vlan12
nameif NET-LAN
security-level 100
ip address 10.10.10.2 255.255.255.0
!
access-list NET-LAN extended permit ip 10.10.10.0 255.255.255.0 10.31.0.0 255.255.255.0
access-list NET-LAN-INTERNET extended permit ip 10.10.10.0 255.255.255.0 10.31.0.0 255.255.255.0
!
nat (NET-LAN) 10 access-list NET-LAN-INTERNET
!
global (DMZ-PUBLIC-CAR) 10 10.31.0.10
_____________________________________________________________________________________________
In this case the NAT doesn't work.
Thanks!!
12-17-2012 05:59 AM
I'm not quite sure if I'm getting the whole picture of the network but the Policy NAT configuration doesnt seem that complex.
Seems you have the following setup
If this is the case can you specify how you confirm that the NAT is not working?
Are you taking the "show xlate" output for the connections? Can you get some log messages of the connection attempts?
Only NAT rule that should override the Policy NAT (to my understanding) is either a more specific Policy NAT rule or NAT0/NAT Exempt rule. Going between the old NAT and new NAT does get me confused sometimes so I'm not 100% sure.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide