I am using a fwsm with 3.2.5 Release and i found some strange static-nat behavior.
My nat configuration looks like this:
static (inside,outside) 172.23.253.6 172.23.0.100 netmask 255.255.255.255
route inside 172.23.0.0 255.255.0.0 x.y.z.v
Everything works fine for some time, but then the fwsm creates a identity xlate which looks like this:
NAT from inside:172.23.0.100 to outside:172.23.251.6 flags si
NAT from inside:172.23.251.6 to outside:172.23.251.6 flags Ii
Then connections doesn't work any more, because the 172.23.251.6 is no longer translated to 172.23.0.100
If i remove the route, this identity xlate entry is not created.
So for me it's some kind of bug, because the pix has no reason to create a second xlate entry if i am using statics
From pix 6.3 (http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694 , look to nat order)
So the question is:
Is this behavior right? Or has cisco changed the nat order of their firewalls? Why should a route be preferd to a static nat entry?
Thanks a lot & Br