Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
383
Views
13
Helpful
4
Replies

NAT issues FWSM

nigelsims
Level 1
Level 1

‎04-03-2006 12:43 PM - edited ‎03-09-2019 02:30 PM

Hi - I'm using the pdm for the FWSM. I'm trying to NAT a server from the production VLAN interface to the outside interface with a RIPE address so that we can send smtp to it from designated internet hosts. This server is in the 10.x.x.0 /23 network and this network is NATed using same address on the outside interface (currently set at the network level). Because of this I cannot set the outside NAT by editing the host NAT tab in the pdm. So I have added a translation rule NATing the server to its RIPE address on the outside. When I apply this I get an (expected) NAT overlap/redundancy warning which I ignore and the NAT appears in the list. I then set up a permit smtp from internet hosts on outside interface to the 10.x.x.x address of the server. This immediately changes the address to the NAT RIPE address (thus nullifying the rule as now both are on the outside...) and it takes out the translation entry! So I'm left with a redundant rule and no NAT. Is there a way around this? I don't think I can take out the network level NAT without breaking all the other servers in this VLAN? I hope this makes sense...

Cheers

Nigel

Labels:
0 Helpful
4 Replies 4

Patrick Laidlaw
Level 4
Level 4

‎04-03-2006 03:15 PM

Nigel,

So let me get this right. You have a server that you need to specifically nat an external address to right. But at this time there is a network nat in place natting it to the same place. So your statements look something like this|

nat (inside,outside) 10.x.x.0 10.x.x.0 mask 255.255.254.0

You need to add a single address to be natted to a different address correct Example 5.x.x.2?

nat (inside,outside) 5.x.x.2 10.x.x.2 mask 255.255.255.255

So what you may end up doing is haveing to change your previous network nat statements and create a bunch of network smaller NAT statements.

If you can post your configs it would be useful.

Patrick

nigelsims
Level 1
Level 1
In response to Patrick Laidlaw

‎04-03-2006 03:23 PM

Thanks for the reply Patrick - yep something like that. It seems that we are trying to have two NATs on the one host - one from the network NAT (which it gets to first and 'likes') and the other from the host NAT (which it doesn't like). So, as you say, the only way around it seems to be to take off the network NAT and put statics on the hosts - somehow I don't think I'll get that through the change system as they are all live servers... We may have to put a box on the outside that will relay to the production servers.

Well, it'll keep me busy I suppose since they want it done by tomorrow :)

Cheers

Nigel

0 Helpful

Patrick Laidlaw
Level 4
Level 4
In response to nigelsims

‎04-03-2006 04:55 PM

Nigel,

You could always set that device in a different vlan with a /32 address space.

Patrick

0 Helpful

farussell
Level 1
Level 1

‎04-07-2006 01:21 PM

Nigel,

From my experience, the only way you can add an 'overlapping nat' is to remove the more global static translation. Time to schedule a window...

Good Luck,

Felice

Customers Also Viewed These Support Documents