Situation: =========== A set of client PCs on the inside interface of a Firewall Services Module (FWSM) 2.3(1) is connecting outbound to a partner company. In general, all outbound connections to this destination network (10.20.212.0 /24) are PATted to one address (10.20.216.246). This is well-established and has been working well for a long time.
A new application provided by the partner company is offered on a set of four servers with tcp/6500, and it has the inevitable requirement that the servers connect back to the clients on tcp/6500 within seconds (i.e. well within an xlate's lifetime) after the client successfully started the outbound connection.
We would like to avoid configuring static NATs for the client systems by all possible means, because of administrative overhead and tedious work generated by PCs changing locations and IP addresses, so we want to stick with some form of dynamic NAT. The new application is not well-known and can't be inspected by the available "fixup" features of the FWSM.
Solution Attempt: dynamic policy NAT ====================================
We tried with dynamic policy NAT; outbound connections to NEW-APP- SERVERS on tcp/6500 should be NATted dynamically to a pool of 10 source addresses, as we don't expect more than 10 simultaneous connections. Then, incoming connections to tcp/6500 on the NAT pool's IP addresses are allowed by OUTSIDE-ACL.
The dynamic policy NAT part of the this setup works well. Outbound connections to NEW-APP-SERVERS:6500 are successfully source-NATted to the pool.
The reverse connection does not work; we see OUTSIDE-ACL counting hits of incoming connections from the NEW-APP-SERVERS to the source NAT the client had been assiged before, but the SYNs don't make it to the clients and nothing is logged on the FWSM, neither with "warning" nor "informational" logging levels. It seems that a nat&global translation slot is a "one way street" from "nat" to "global"
Excerpt from documentation ========================== The document "Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, Release 2.3" states on Page 9-4 in a "Note" box, in the dynamic NAT chapter:
"For the duration of the translation, a global host can initiate a connection to the local host if an ACL allows it. Because the address is unpredictable, a connection to the host is unlikely. However in this case, you can rely on the security of the ACL"
That's where we had the idea from: The first outbound connection creates the xlate, and we only need to open the ACL to allow incoming session initiations. However: no luck.
This is how we configured the FWSM according to our idea:
... object-group NEW-APP-SERVERS network-object host 10.20.212.47 network-object host 10.20.212.49 network-object host 10.20.212.50 network-object host 10.20.212.51 ... object-group NEW-APP-CLIENTS-NAT network-object host 10.20.216.180 network-object host 10.20.216.181 network-object host 10.20.216.182 network-object host 10.20.216.183 network-object host 10.20.216.184 network-object host 10.20.216.185 network-object host 10.20.216.186 network-object host 10.20.216.187 network-object host 10.20.216.188 network-object host 10.20.216.189 ... ... access-list POLICYNAT remark ------------- Policy NAT access List access-list POLICYNAT extended permit tcp any object-group NEW-APP- SERVERS eq 6500 ... nat (inside) 31 access-list POLICYNAT global (outside) 31 10.20.216.180-10.20.216.189 netmask
255.255.255.0 ... ... access-list OUTSIDE-ACL remark ------------- allow reverse incoming connections for NEW-APP access-list OUTSIDE-ACL permit tcp object-group NEW-APP-SERVERS object- group NEW-APP-CLIENTS-NAT eq 6500 ... access-group OUTSIDE-ACL in interface outside ...QUESTION: ========= Is there another configuration scheme that would allow to fix our problem? I tried sketching this up with policy static NAT or an outsite NAT, but so far I haven't been able to think of a setup that looks like it could work.
Thanks for your comments on this
Marc