Firewall Services Module NAT Capability Question for 2.3(3) release

Discussion in 'Cisco' started by jrguent@gmail.com, Feb 24, 2006.

  1. Guest

    Goal:


    Support the following NAT configuration requirements (1 and 2) on the
    same Ecommerce Firewall. Ecommerce Firewall will eventually have to
    support the following types of traffic patterns (outside -> inside;
    inside -> outside; outside -> dmz; dmz -> dmz; dmz -> inside; dmz ->
    outside) For now, we are most concerned with outside -> inside
    initiated traffic pattern.

    For outside -> inside traffic pattern: Use firewall context outside
    interface source NAT so that traffic returns to correct virtual
    firewall context.
    For some connections we cannot NAT incoming source IP addresses for
    outside -> inside traffic (1), in these cases we need to see the
    "real" internet source address and therefore these connections will
    be policy routed.

    Detail Test Example: (First 3 octets for public addressing have been
    replaced by aa.bb.cc)

    We tried the following test to determine, if 1 and 2 can be supported
    in the same Firewall context configuration:

    We tried unsuccessfully to achieve support for goals 1 and 2 above can
    be supported in same context configuration using NAT configuration
    below.

    access-list outside_pnat_inbound extended permit ip any host
    aa.bb.cc.12

    global (inside) 1 interface

    nat (outside) 1 access-list outside_pnat_inbound outside

    static (inside,outside) aa.bb.cc.20 testftp netmask 255.255.255.255 dns


    static (inside,outside) aa.bb.cc.12 test1 netmask 255.255.255.255

    Rule #1 access-list outside_access_in extended permit tcp any gt 1024
    host aa.bb.cc.12 eq telnet log (we wish to source nat for this rule)

    Rule #2 access-list outside_access_in extended permit tcp any gt 1023
    host aa.bb.cc.20 eq ftp log (we wish to policy route for this rule)

    Results:

    We can successfully telnet to the aa.bb.cc.12 host; however, we cannot
    connect to aa.bb.cc.20 FTP Server
     
    , Feb 24, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. osman arslaner

    Firewall Services Module (FWSM) Questions.

    osman arslaner, Mar 5, 2004, in forum: Cisco
    Replies:
    0
    Views:
    577
    osman arslaner
    Mar 5, 2004
  2. Ben
    Replies:
    0
    Views:
    1,861
  3. test Ab
    Replies:
    0
    Views:
    321
    test Ab
    Mar 19, 2008
  4. Giuen
    Replies:
    0
    Views:
    1,463
    Giuen
    Sep 12, 2008
  5. tet
    Replies:
    0
    Views:
    708
Loading...

Share This Page