FWSM PAT Overloading

Hello,
I ahve an issue in configuring PAT on my FWSM.
I need to map many private IPs to one public IP.
Here the conf :
nat (CLT-INSIDE) 3 172.20.120. 255.255.255.0 outside
global (OUTSIDE) 3 AAA.BBB.CCC.DDD
I tyried with and without the outside keyword, and using a netmask 255.255.255.255 for my public address.
access-list CLT-INSIDE_access_in line 1 extended permit icmp any any
access-list CLT-INSIDE_access_in line 2 extended permit ip 172.20.120.0 255.255.255.0 any
(permit ip any any for test purposes only)
I cannot ping any public IP from my inside machine.
I followed my common sense and this guide :
http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/nat.html#wp1158667
Any troubleshooting tips ?
Thanks a lot
Florian

Hi,
The parameter "outside" after the "nat" command should to my understanding be only needed when the destinaton interface (the one holding the "global" command ) is of lower "security-level" than the source interface (the one holding the "nat" command)
Are we talking about a new setup which you are trying to get working or an existing setup for which you are configuring a new Dynamic PAT that doesnt seem to work or get applied?
Naturally the annoying thing with this is the FWSM. Mainly because "packet-tracer" can not be used with it
Have you enabled ICMP Inspection for the FWSM so that the reply/return messages/replies for ICMP can pass the firewall? I think since you are doing PAT that you will need ICMP inspection for this.
You should be able to view the current Inspection configurations with the following command
show run policy-map
If you have the default policy configurations attached globally you could add the following lines
inspect icmp
inspect icmp error
I am not sure if we should look for any problems with the NAT configurations (some other configuration than the above that would cause problems) .
- Jouni

Similar Messages

How many connections PAT can handles?

How many connections that an IP address with PAT can support? One IP address with PAT can support 65536 hosts as there are 65536 ports available for an IP(ranging from 0 to 65535)?

Hi,
PAT (overloading) divides the available ports per global IP address into three ranges: "0-511, 512-1023, and 1024-65535". PAT assigns a unique source port for each UDP or TCP session. It will attempt to assign the same port value of the original request, but if the original source port has already been used, it will start scanning from the beginning of the particular port range to find the first available port and will assign it to the conversation.
Please refer the below URL for details:
http://www.cisco.com/en/US/products/ps6640/products_qanda_item0900aecd801ba55a.shtml
I hope it helps.
Regards,
Arul

PAT pool, possible?

Can I combine Dynamic NAT (pool) with PAT (overload)? How? Just use "Router(config)#ip nat inside source list 1 pool POOLNAME overload"? What are advantages/disadvantages of doing that? More connection available? More efficient use of public IP?

Yes, you can. You, of course, get a lot more translations by doing this...
Paresh

ASA5525X - 8.6(1)2 and One-To-One Static Mapping Issue

Just started working with the post 8.3 CLI.
Traffic from outside to inside is translated correctly, but inside to outside is using the outside Interface IP instead of the mapped IP, 50.50.50.50.
I know I'm missing something small here.
This is the config that was build using ASDM.
Outside IP: 50.50.50.50
Inside IP: 10.10.10.10
object network TEST
host 50.50.50.50
description One-To-One NAT 50.50.50.50/10.10.10.10
object network TEST-priv
host 10.10.10.10
description One-To-One NAT 50.50.50.50/10.10.10.10
object network TEST-priv
nat (inside,outside) static TEST
nat (inside,outside) source dynamic IN2OUT interface description PAT Overload Using Interface Public IP
object network IN2OUT
subnet 0.0.0.0 0.0.0.0
description Inside To Outside NAT
Note: ASDM created object TEST-priv twice. One on top and one below the NAT configs.

Hello Robert,
The problem here is the nat order.
Twice nat are review first so in order to make this work do the following on the CLI.
no nat (inside,outside) source dynamic IN2OUT interface description PAT Overload Using Interface Public IP
nat (inside,outside) after-auto source dynamic IN2OUT interface description PAT Overload Using Interface Public IP
Remember to rate all of the answers, for the community that is more important that a thank
Regards,
Julio

PAT pool IP allocation on FWSM

Hi all I am using a FWSM firewall and have set up a Dynamic policy to PAT a /8 network into a /30 network...
Problem I see is that the PAT is only using the first address in the pool for mulitple connections , I need it to use all 4 available addresses
Anyone got any ideas ??

Hi,
Can you share the NAT configuration used?
- Jouni

Many to many PAT

Hi All,
Hope you are doing good. I am currently trying to configure PAT on our FWSM. There are a large number of hosts(four private /24 subnets) that need to be patted and they are ending up using all the ports that can be PATted via one ip address. Thus I am looking to place them behind a 16 ip addresses. Below is my config which isn't working correctly.
access-list PAT_HOSTS extended permit ip 192.168.1.0 255.255.255.0 any
access-list PAT_HOSTS extended permit ip 192.168.2.0 255.255.255.0 any
access-list PAT_HOSTS extended permit ip 192.168.3.0 255.255.255.0 any
access-list PAT_HOSTS extended permit ip 192.168.4.0 255.255.255.0 any
nat (INSIDE1) 12 access-list PAT_HOSTS
nat (INSIDE2) 12 access-list PAT_HOSTS
global (OUTSIDE) 12 10.1.1.48-10.1.1.63 netmask 255.255.255.240
Could anybody please advise how can I achieve this?
Regards,
Nilesh

Hi,
So what you are saying that the single PAT IP addresses ports are being exhausted and any following connections/host wont get a translation?
The reason why your new NAT configuration doesnt work is that you are using NAT Pool. It just assing a single NAT IP address for single host. When it runs out of IP addresses you dont have any NAT IP addresses left. And this naturally happens fast with your setup. Even faster than using the single PAT IP address.
The solution would be to configure several "global" statements in the configuration.
Since you didnt provide the original configuration I will make up a sample configuration of Before and After situation
Before
global (OUTSIDE) 12 interface
nat (INSIDE1) 12 192.168.1.0 255.255.255.0
nat (INSIDE1) 12 192.168.2.0 255.255.255.0
nat (INSIDE2) 12 192.168.3.0 255.255.255.0
nat (INSIDE2) 12 192.168.4.0 255.255.255.0
After
If your goal is to simply add 1 or more PAT addresses to addres the problem of running out of ports then you just add an additional "global" statement/configuration
global (OUTSIDE) 12 interface
global (OUTSIDE) 12 10.1.1.48
nat (INSIDE1) 12 192.168.1.0 255.255.255.0
nat (INSIDE1) 12 192.168.2.0 255.255.255.0
nat (INSIDE2) 12 192.168.3.0 255.255.255.0
nat (INSIDE2) 12 192.168.4.0 255.255.255.0
Also typically in situations where you have a sufficient NAT Pool BUT it might run out of address occasionally, you could configure NAT Pool + PAT as an overload address for when the NAT Pool runs out.
Basic configuration format could be for example
global (OUTSIDE) 12 10.1.1.2-10.1.1.253
global (OUTSIDE) 12 10.1.1.254
nat (INSIDE1) 12 192.168.1.0 255.255.255.0
nat (INSIDE1) 12 192.168.2.0 255.255.255.0
nat (INSIDE2) 12 192.168.3.0 255.255.255.0
nat (INSIDE2) 12 192.168.4.0 255.255.255.0
Hope this helps
- Jouni

ASA 5512-X 8.6(1)2 NAT Overload

My collegue and I have been banging our heads against the wall trying to figure out why we are unable to get this ASA to NAT Overload correctly. Can anybody out there taka look at our config and see what we are missing? I'm sure it is something stupid, and the config may have gotten a little dirty as we tried to change options and make it work. Any insights would be much appreciated. FYI, we can ssh from the WAN into the device to configure it. It is communicating externally, but it isn't natting.
ASA Version 8.6(1)2!hostname ASA5512-X-Remoteenable password ********** encryptedpasswd ********** encryptednames!interface GigabitEthernet0/0 description ISP nameif WAN security-level 0 ip address 10.10.10.250 255.255.255.248!interface GigabitEthernet0/1 nameif LAN security-level 100 ip address 172.16.55.2 255.255.255.0!interface GigabitEthernet0/2 no nameif no security-level no ip address!interface GigabitEthernet0/2.1 vlan 58 nameif VENDOR_58 security-level 0 ip address 192.168.58.1 255.255.255.0!interface GigabitEthernet0/2.2 vlan 56 nameif VENDOR_56 security-level 0 ip address 192.168.56.1 255.255.255.0!interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address!interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address!interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address!interface Management0/0 shutdown no nameif no security-level no ip address management-only!ftp mode passiveobject network LAN-HOSTS_172.16.55.0 subnet 172.16.55.0 255.255.255.0access-list LAN standard permit anyaccess-list WAN_access_in extended permit ip any anyaccess-list LAN_access_in extended permit ip any anypager lines 24mtu WAN 1500mtu LAN 1500mtu VENDOR_56 1500mtu VENDOR_58 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400!object network LAN-HOSTS_172.16.55.0 nat (LAN,WAN) dynamic interfaceaccess-group WAN_access_in in interface WANaccess-group LAN_access_in in interface LANroute WAN 0.0.0.0 0.0.0.0 10.10.10.254 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALaaa authentication ssh console LOCALno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstartno snmp-server enabletelnet timeout 5ssh 0.0.0.0 0.0.0.0 WANssh timeout 60console timeout 0management-access WANthreat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptusername admin password ********** encrypted privilege 15!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp!service-policy global_policy globalprompt hostname contextno call-home reporting anonymouscall-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email [email protected] destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly 19 subscribe-to-alert-group configuration periodic monthly 19 subscribe-to-alert-group telemetry periodic dailyCryptochecksum:6ec463a9761699ba648aa4a17237e3ea: end
As stated before, any help or insights would be greately appreciated.
edit: txt file of config attached.

************EDIT*********************
oops, I didn't see your reply before I posted mine...let me check that .....
************EDIT**********************
I've added some testing ACL's to allow any tcp traffic from any to any applied to both the WAN and the LAN, and i'm still being met with the implicit ACL block like I have been getting.
maybe i'm goinig overboard, but I want to at least get it functioning and then start backing things out one at a time.
i've added the following:
access-list TESTING extended permit tcp any any
access-list TESTING extended permit udp any any
access-list TESTING extended permit icmp any any
access-group TESTING global
I have been staring at this running config for literally 8 hours so I will admit to having likely flawed logic in some of this stuff.

Dynamic PAT and Static NAT issue ASA 5515

Hi All,
Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
- Bhal

Hi,
I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
The very basic configured for Static NAT and Default PAT I would do in the following way
object network STATIC
host
nat (inside,outside) static dns
object-group network DEFAULT-PAT-SOURCE
network-object
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
- Jouni

PAT blocking IPsec

Hi,
I have problem with Portforwarding and IPsec tunnel:
When I set PAT:
ip nat inside source static tcp 192.168.10.207 101 WAN_IP 101 extendable
then this port is unavailable for remote PCs in other site via IPsec 192.168.7.0.
I have also set NAT on interface
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip access-list extended NAT
deny ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255
permit 192.168.10.0 0.0.0.255 any
this mean nonat to remote site :192.168.7.0 and natting to other
Everithings going well, but portforwarded ports dont.
Thanks for answers.

hi,
you have to use route-map for this problem
create the NAT access-list and apply with route-map and then creat nat traffic with the route map
ex:
ip nat inside source static tcp 192.168.0.7 6004 y.y.y.y 6004 route-map nonat extendable
route-map nonat permit 10
match ip address 101
the 101 will be your NAt access-list which you will have deny statement for VPN Networks and all other networks will be permitted.
if you configure like this your Natted IP also will work in the VPN.
if it is helpful please rate it.
cyril

FWSM strange acl behavior

Hi!
I have FWSM running 4.1(6) with two security contexts.
The context test config is:
FWSM/test# sh run
: Saved
FWSM Version 4.1(6) <context>
hostname test
domain-name fwsm.spbstu.ru
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
interface Vlan556
nameif inside
security-level 100
ip address 192.168.100.254 255.255.255.0
interface Vlan557
nameif dmz
security-level 50
ip address 172.16.2.1 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list permit_any extended permit tcp any any
access-list permit_any extended permit udp any any
access-list permit_any extended permit ip any any
access-list dmz_in extended permit icmp any any
access-list dmz_in extended permit udp any any
access-list dmz_in remark dmz_in
access-list dmz_in extended permit tcp any any
access-list dmz_out extended permit icmp any any
access-list dmz_out extended permit udp any any
access-list dmz_out extended permit tcp any any
access-list inside_in extended permit tcp any eq 3389 any
access-list inside_in extended permit tcp any any
access-list inside_in extended deny ip any any
access-list inside_out extended permit icmp any any
access-list inside_out extended permit udp any any
access-list inside_out extended permit tcp any any
pager lines 24
logging enable
logging console debugging
logging buffered debugging
logging asdm debugging
mtu inside 1500
mtu dmz 1500
no asdm history enable
arp timeout 14400
nat-control
access-group permit_any in interface inside
access-group permit_any out interface inside
access-group permit_any in interface dmz
access-group permit_any out interface dmz
route dmz 0.0.0.0 0.0.0.0 172.16.2.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout pptp-gre 0:02:00
timeout uauth 0:05:00 absolute
username cisco password ZBZ8GNEdrJsjFvsR encrypted
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
no snmp-server location
no snmp-server contact
telnet timeout 60
ssh timeout 60
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect netbios
inspect rsh
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect http
service-policy global_policy global
Cryptochecksum:632fecb27da8e4b662d4197c60f1b22a
: end
Routing and vlan config is fine for sure.
but access is denied while ACL counters are 0
Does anybody have any ideas where I should look more carefully?
system context config is
FWSM# sh run
: Saved
FWSM Version 4.1(6) <system>
resource acl-partition 12
hostname FWSM
enable password 8Ry2YjIyt7RRXU24 encrypted
interface Vlan555
interface Vlan556
interface Vlan557
interface Vlan1216
passwd 2KFQnbNIdI.2KYOU encrypted
class default
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
limit-resource All 0
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0
admin-context admin
context admin
description default_context
member default
allocate-interface Vlan1216
allocate-interface Vlan555
allocate-acl-partition 0
config-url disk:/admin.cfg
context test
description test
member default
allocate-interface Vlan556
allocate-interface Vlan557
allocate-acl-partition 1
config-url disk:/CON_test.cfg
prompt hostname context
Cryptochecksum:ae682011fefdab9a0e4eeda02ca49c6e
: end

access-list permit_any extended permit tcp any any
access-list permit_any extended permit udp any any
access-list permit_any extended permit ip any any
access-list permit_any extended permit icmp any any
access-group permit_any in interface inside
access-group permit_any out interface inside
access-group permit_any in interface dmz
access-group permit_any out interface dmz
I don't understand why FWSM denies ICMP:
( I am pinging from Cat6509 SUP 172.16.2.254 ( which is on dmz interface ) the host on inside interface 192.168.100.250:
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
%FWSM-7-111009: User 'enable_15' executed cmd: show logging
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
Any ideas?

Best practices for NAT/PAT?

Greetings:
My setup is
Cisco 1811 serving as a router/firewall to several windows 2003 servers at an ISP. Ive configured NAT on the router to expose http, https, and smtp ports on each of the servers to a unique public ip address within my x.x.x.230/29 address space.
The WAN port on the 1811 is configured with x.x.x.230/29. On the ServerA I NAT ports 25, 80, and 443 on that same x.x.x.230 address, while managing the 1811 itself using SSH on that same address as well.
On server B (local ip 192.168.0.3), I NAT the x.x.x.231 for ports 25. 80, and 443. On server C (local ip 192.168.0.4), I NAT the x.x.x.232 address for the same ports.
Can anyone offer a critique of this configuration and offer some ideas of the best practices topology-wise for providing routing, vpn and firewall functionality for these servers?
My question arises because now I have a site to site VPN with Server B at the local end and I am unable to connect to the server B smtp port due to the following nat statements. I can confirm that this is the case since by removing the statement I am able to connect.
Here is the NAT section of the show run:
ip nat inside source static tcp 192.168.0.2 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.0.2 80 interface FastEthernet0 80
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.0.3 25 x.x.x.231 25 extendable
ip nat inside source static tcp 192.168.0.3 80 x.x.x.231 80 extendable
ip nat inside source static tcp 192.168.0.3 443 x.x.x.231 443 extendable
ip nat inside source static tcp 192.168.0.4 25 x.x.x.232 25 extendable
ip nat inside source static tcp 192.168.0.4 80 x.x.x.232 80 extendable
ip nat inside source static tcp 192.168.0.4 443 x.x.x.232 443 extendable
Would appreciate any and all comments on the way it is currently configured ass well as:
-How I might be able to change the config to follow a best-practice arrangement for the router/firewall and these servers.
TIA

Hi,
Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for the local and global addresses.
This feature lets you identify the same global address across many different static statements, so long as the port is different for each statement (you CANNOT use the same global address for multiple static NAT statements).
For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP, but these are all actually different servers on the local network, you can specify static PAT statements for each server that uses the same global IP address, but different ports
And for PAT you cannot use the same pair of local and global address in multiple static statements between the same two interfaces.
Regards
Bjornarsb

Configuring PAT/NAT in cisco routers

hello, first sorry for my bad english
i just wanted to know how configuring PAT (port address translation)
like this :?
amir(config)#ip nat inside source static tcp 192.168.1.1 1000 172.16.1.1 1000
or not?
2nd question i have is:
when i need to write: "ip nat inside source"... and when i need to write "ip nat outside" ..
and the last question for now is:
how i can (if that's possible) to configure dynamic PAT - I mean that any computer on my LAN will go out to the internet with the same address but with diffrent ports - in random mode.(i mean without configuring static one by one)
i hope i was clear enough, tanks a lot!

Hi Tiger,
1) Yes your first statement is a static PAT statement which will say source ip with source port 1000 is translated to 172.16.1.1 with same port number but yes it is a static PAT entry.
2) Coming to your 2nd question
"ip nat inside source" is a global config command which says any traffic which hits the inside interface nat the source ip address.
"ip nat inside" is a interface mode command which should be done going to any interface. This command specifies which will be an inside interface which will nat the incoming traffic.
3) Coming to your last question
For dynamic PAT you just need to configure overload command at the end of your nat statement.
This link will give you a very broad and nice picture of how NAT can be configured in different situation
http://www.cisco.com/warp/public/556/12.html#6
HTH
Ankur

Static NAT (in and out) and PAT on a Router

Static NAT and PAT
I need to have a customer network connected to my extranet.
Im not in control of the customer network addressing. But need to configure a VPN connection.
I will supply the router that will also be the customer Firewall to the Internet (PAT).
(1) I need to be able to do PAT on traffic from internal hosts to the Internet.
(2) I need to hide (NAT) the customer network behind a network supplied by me (match-host), when they are accessing my extranet (through VPN).
(3) I need to be able to access hosts on the customer network, through the hiding (NAT) addresses from my extranet (through VPN).
The following configuration will solve (1) & (2), but I can not (3) reach the internal servers from my extranet, except if the internal host has made connection to the extranet, witch will create a translate entry in the NAT table.
Extranet is: 172.16.16.0/24
Internal net is: 192.168.1.0/24
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface FastEthernet4
ip address 1.1.1.1
ip nat outside
access-list 175 deny 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 175 permit 192.168.1.0 0.0.0.255 any
access-list 176 permit 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
ip nat pool FRO 10.192.10.1 10.192.10.254 netmask 255.255.255.0 type match-host
ip nat inside source list 175 interface FastEthernet4 overload
ip nat inside source route-map HIDE pool FRO reversible
route-map HIDE permit 10
match ip address 176

Create a NAT configuration in the router which also translates even your outside Global address(your extranet) into the inside Global(any private) address through the keyword "rotary".Only this rotary pool will provide the pool of inside global IP address for yopur outside Global IP addresses.
The following white paper will provide you with the required information,
http://www.cisco.com/en/US/products/ps6640/products_white_paper09186a0080091cb9.shtml

Reg:FWSM router mode issue

Hi,
I have a Cisco FWSM installed on Cisco 7613 router,the topology is like mentioned below,
        7613+{FWSM}------3560---------3560----[10.220.0.0/29,10.220.1.0/29,10.220.2.0/29]
Here we created a p2p link between 7613 gig port and switch3560 gig port (say 10.220.1.252/29) and then there ia a trunk between both 3560 switches ,We wish to run FWSM in router mode and configured vlan groups 10(101,102)and 20(200,201),assigned both these groups to firewall module on router on vlan 200 ip add 192.168.2.1/24 has been given, while on fwsm on int vl 200, 192.168.2.2 ip has been given,although the interfaces are up and pinging their individual ip ads they are not pinging each other(both ip ads appear in sh arp though.Kindly help in resolving this issue.
Also i configured inside vlan 201as inside its also up and visible in arp of router but not pinging others kindly help in the resolution of this issue.
We need to put this firewall in front of the router which has a serial line to another 7600 router,how would i take traffic to fwsm ,pls suggest what else do i need to do ,as i m new to FWSM .
router config:
Router#sh firewall module
Module Vlan-groups
04   1,2
Router#sh firewall vlan-group
Display vlan-groups created by both ACE module and FWSM
Group    Created by      vlans
    1           ACE      100-101,200-202
    2                    <empty>
Router#sh arp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 10.225.62.145           -   001d.a156.9300 ARPA   GigabitEthernet10/1
Internet 10.225.62.146         107   001d.a1a5.fbc1 ARPA   GigabitEthernet10/1
Internet 192.168.2.1             -   001d.a156.9300 ARPA   Vlan200
Internet 192.168.2.2             7   0007.0e5c.3d00 ARPA   Vlan200
Internet 192.168.3.1             4   0007.0e5c.3d00 ARPA   Vlan201
Internet 192.168.3.2             -   001d.a156.9300 ARPA   Vlan201
Fwsm config:
hostname FWSM
interface Vlan200
nameif outside
security-level 0
ip address 192.168.2.2 255.255.255.0
interface Vlan201
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:4e3eadb1a489f3b696d0c6da8b1b20b9
: end
FWSM#
FWSM# sh arp
        outside 192.168.2.1 001d.a156.9300
        inside 192.168.3.2 001d.a156.9300
        eobc 127.0.0.81 0000.1800.0000
FWSM# sh int
Interface Vlan200 "outside", is up, line protocol is up
Hardware is EtherSVI
        MAC address 0007.0e5c.3d00, MTU 1500
        IP address 192.168.2.2, subnet mask 255.255.255.0
Traffic Statistics for "outside":
        6 packets input, 658 bytes
        12 packets output, 1316 bytes
        474 packets dropped
Interface Vlan201 "inside", is up, line protocol is up
Hardware is EtherSVI
        MAC address 0007.0e5c.3d00, MTU 1500
        IP address 192.168.3.1, subnet mask 255.255.255.0
Traffic Statistics for "inside":
        6 packets input, 658 bytes
        7 packets output, 726 bytes
        107 packets dropped

hi,
thanks for being so helpful,there is a little issue thats arisen, i can not ping inside address configured on fwsm(192.168.3.1)where as i can ping 192.168.3.2 on router interface.i cannot telnet fwsm using its outside interface ip 192.168.2.2 either,hereis my FWSM config ,kindly suggest if there is any mistake .
thanks.
Also i tried to ping inside fwsm interface from my client 10.220.2.2 and enabled debug,to get these ,
FWSM# debug icmp trace 255
debug icmp trace enabled at level 255
FWSM# ICMP echo request (len 50 id 2 seq 34642) 10.220.2.2 > 192.168.2.2
ICMP echo reply (len 50 id 2 seq 34642) 192.168.2.2 > 10.220.2.2
ICMP echo request (len 50 id 2 seq 34898) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 50 id 2 seq 34898) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 35154) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 35154) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 43602) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 43602) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 49746) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 49746) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 55634) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 55634) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 50 id 2 seq 25683) 10.220.2.2 > 192.168.2.2
ICMP echo reply (len 50 id 2 seq 25683) 192.168.2.2 > 10.220.2.2
ICMP echo request (len 50 id 2 seq 25939) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 50 id 2 seq 25939) 192.168.3.1 > 10.220.2.2
Kindly suggest what could be done.
thanks.

ACE Module & FWSM

Dear Gents,
Attached is the current setup & configuration for both ACE & FWSM.
we can ping the VIP from the user side, but we are not able to open the web application using the VIP.
Appreciate your kind support to solve the issue when trying to open the application using the VIP.
Best Regards,

Pierre this is babu.
     Can you please forward ACE ONE ARM MODE current configuration which is working fine. Check my configuration and please replay if any modification require.
boot system image:c4710ace-mz.A4_2_0.bin
interface gigabitEthernet 1/1
switchport access vlan 255
no shutdown
interface gigabitEthernet 1/2
switchport access vlan 110
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
probe http HTTP
port 80
interval 20
passdetect interval 40
receive 3
expect status 0 499
connection term forced
open 1
probe icmp PING
description Probe PING
interval 2
faildetect 2
passdetect interval 2
passdetect count 2
receive 1
probe snmp SNMP-PROBE
description SNMP-PROBE
interval 15
passdetect interval 10
version 2c
community MODA-MSD-RW
oid .1.3.6.1.2.1.4.3.0
   type absolute max 1000000000
weight 6000
rserver host SERVER1
description msd-hq-sp01
ip address 10.0.160.14
conn-limit max 2000000 min 1500000
rate-limit connection 100000
rate-limit bandwidth 10000000
inservice
rserver host SERVER2
description msd-hq-sp02
ip address 10.0.160.15
conn-limit max 2000000 min 1500000
fail-on-all
weight 20
inservice
rserver host SERVER3
conn-limit max 2000000 min 1500000
fail-on-all
weight 30
inservice
rserver host SERVER4
conn-limit max 2000000 min 1500000
fail-on-all
weight 40
inservice
serverfarm host MoDA-MSD-SFARM
description MoDA-MSD-SERVERS
probe PING
rserver SERVER1 80
   conn-limit max 2000000 min 1500000
   rate-limit connection 100000
   rate-limit bandwidth 5000000
   inservice
rserver SERVER2 80
   conn-limit max 2000000 min 1500000
   rate-limit connection 100000
   rate-limit bandwidth 5000000
   inservice
sticky ip-netmask 255.255.255.255 address source STKY_WEB1
timeout 60
replicate sticky
serverfarm MoDA-MSD-SFARM
class-map match-all frontend
2 match virtual-address 10.0.160.17 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
   permit
policy-map type loadbalance first-match frontend
class class-default
   serverfarm MoDA-MSD-SFARM
policy-map multi-match CLIENT-VIPS
class frontend
   loadbalance vip inservice
   loadbalance policy frontend
   loadbalance vip icmp-reply
   nat dynamic 1 vlan 110
class class-default
interface vlan 110
ip address 10.110.10.101 255.255.255.0
access-group input ALL
nat-pool 1 10.110.10.200 10.110.10.200 netmask 255.255.255.0 pat
service-policy input CLIENT-VIPS
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 255
ip address 10.0.255.245 255.255.255.0
no shutdown
ft interface vlan 115
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 115
query-interface vlan 110
ft group 1
peer 1
priority 120
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 10.110.10.254
snmp-server community MODA-MSD-RO group Network-Monitor
snmp-server host 10.0.160.144 traps version 2c MODA-MSD-RW
snmp-server enable traps snmp coldstart
snmp-server enable traps virtual-context
snmp-server enable traps license
snmp-server enable traps slb vserver
snmp-server enable traps slb real
snmp-server enable traps syslog
snmp-server enable traps snmp authentication
snmp-server enable traps snmp linkup
snmp-server enable traps snmp linkdown
username admin password 5 $1$D1e1pS1d$KBuTV0Oe195u3b3dW9RQF/ role Admin domain
default-domain
username www password 5 $1$JfHnQdU/$0FLEMgeJIuAzIKGc3Xv.p1 role Admin domain de
fault-domain
ssh key rsa 1024 force
Thank you,
Babu.S

FWSM PAT Overloading

Similar Messages

Maybe you are looking for