10-12-2008 10:58 PM - edited 03-11-2019 06:56 AM
Hello,
I am again having another problem with my NATTED ip.
We have connected a server on one of the Firewall interface. I can Ping the server 10.26.34.20 from the Firewall context at the same time, I can ping the 10.10.10.10 server from the firewall. I have configured, NAT for 10.10.10.10 to be represented as 10.26.34.10. I however cannot PING 10.26.34.10 from 10.10.10.10
I am attaching logs from our firewall and please let me know where I might have gone wrong.
%FWSM-6-302021: Teardown ICMP connection for faddr 10.26.34.20/4388 gaddr 10.34.26.14/4388 laddr 10.34.26.14/8
%FWSM-6-305009: Built static translation from VLAN300 :10.10.10.10 to VLAN1300 :10.26.34.10
%FWSM-6-302013: Built outbound TCP connection 145842752990351296 for VLAN300 :10.10.10.10/47014 (10.26.34.10/47014) to VLAN1300 :10.26.34.20/22 (10.26.34.20/22)
%FWSM-6-302014: Teardown TCP connection 145842752990351296 for VLAN300 :10.10.10.10/47014 to VLAN1300 :10.26.34.20/2
%FWSM-6-302013: Built outbound TCP connection 145842752990351297 for VLAN300 :10.10.10.10/47014 (10.26.34.10/47014) to VLAN1300 :10.26.34.20/22 (10.26.34.20/22)
%FWSM-6-302014: Teardown TCP connection 145842752990351297 for VLAN300 :10.10.10.10/47014 to VLAN1300 :10.26.34.20/2
%FWSM-6-302020: Built outbound ICMP connection for faddr 10.26.34.20/45343 gaddr 10.26.34.10/45343 laddr 10.10.10.10/8
%FWSM-6-302021: Teardown ICMP connection for faddr 10.26.34.20/45343 gaddr 10.26.34.10/45343 laddr 10.10.10.10/8
%FWSM-6-302013: Built outbound TCP connection 145842752990351299 for VLAN300 :10.10.10.10/47015 (10.26.34.10/47015) to VLAN1300 :10.26.34.20/6034 (10.26.34.20/6034)
%FWSM-6-302014: Teardown TCP connection 145842752990351299 for VLAN300 :10.10.10.10/47015 to VLAN1300 :10.26.34.20/6
%FWSM-6-106015: Deny TCP (no connection) from 10.26.34.20/6034 to 10.26.34.10/47015 flags SYN ACK on interface VLAN1300
%FWSM-6-106015: Deny TCP (no connection) from 10.26.34.20/6034 to 10.26.34.10/47015 flags RST on interface VLAN1300
%FWSM-6-302013: Built outbound TCP connection 145842752990351300 for VLAN300 :10.10.10.10/47015 (10.26.34.10/47015) to VLAN1300 :10.26.34.20/6034 (10.26.34.20/6034)
%FWSM-6-302014: Teardown TCP connection 145842752990351300 for VLAN300 :10.10.10.10/47015 to VLAN1300 :10.26.34.20/6
%FWSM-6-302013: Built outbound TCP connection 145842752990351301 for VLAN300 :10.10.10.10/47015 (10.26.34.10/47015) to VLAN1300 :10.26.34.20/6034 (10.26.34.20/6034)
%FWSM-6-302014: Teardown TCP connection 145842752990351301 for VLAN300 :10.10.10.10/47015 to VLAN1300 :10.26.34.20/6
10-12-2008 11:28 PM
do u have permit statment on the FWSM interfaces
because fwsm has deny all on all interfaces not like
ASA make sure u have the right ACLs that permit the traffic
and as long as u can ping end to end ur routing looks ok
but if u can post the FWSM and MSFC config will be easier
good luck
10-13-2008 12:20 AM
10-13-2008 01:03 AM
ok on the edge u mean MSFC
do u have and SVI interface
for example lets say the interface connected to core router is in vlan 1331
give it and ip address make L3 interface and put the interface connected to core router in this vlan for example
interface vlan 1311
ip address 13.13.13.13 255.255.255.0
no shut
now u need and SVI for vlan 300 and this will used to route traffic to 10.10.10.10 server
for example in MSFC
interface vlan 300
ip address 10.133.2.41 255.255.255.252
no shut
now lets say the core router directly connected interface as we said in vlan 1311
lets say 13.13.13.1
now make static route to 10.10.10.10
ip route 10.10.10.10 255.255.255.255 13.13.13.1
now on the FWSM
route vlan300 10.10.10.10 255.255.255.255 10.133.2.41
10.133.2.41 represent the vlan300 SVI we just created
try the above carefully then let me know
some times for nating u need to do
clear conn
clear xlate
good luck
10-13-2008 02:22 AM
Hi,
I have already carried it out and I am able to see hits on the Firewall logs, however, I am still unable to PING the server. I have a good route since I am already able to translate 10.10.10.10 to 10.26.34.10.
I can ping the two server IF i am on the Firewall COntext.
I am getting these on the FIREWALL LOGs
%FWSM-6-305009: Built static translation from VLAN300:10.10.10.10 to VLAN1300:10.26.34.10
%FWSM-6-302020: Built outbound ICMP connection for faddr 10.26.34.20/33539 gaddr 10.26.34.10/33539 laddr 10.10.10.10/8
%FWSM-6-302020: Built outbound ICMP connection for faddr 10.26.34.20/17533 gaddr 10.26.34.10/17533 laddr 10.10.10.10/8
%FWSM-6-302021: Teardown ICMP connection for faddr 10.26.34.20/33539 gaddr 10.26.34.10/33539 laddr 10.10.10.10/8
%FWSM-6-302021: Teardown ICMP connection for faddr 10.26.34.20/17533 gaddr 10.26.34.10/17533 laddr 10.10.10.10/8
%FWSM-6-302013: Built outbound TCP connection 145843191077015439 for VLAN300:10.10.10.10/47026 (10.26.34.10/47026) to VLAN1300:10.26.34.20/6034 (10.26.34.20/6034)
%FWSM-6-302014: Teardown TCP connection 145843191077015439 for VLAN300:10.10.10.10/47026 to VLAN1300:10.26.34.20/6034 duration 0:00:20 bytes 324 Conn-timeout
%FWSM-6-302013: Built outbound TCP connection 145843191077015440 for VLAN300:10.10.10.10/47026 (10.26.34.10/47026) to VLAN1300:10.26.34.20/6034 (10.26.34.20/6034)
%FWSM-6-302014: Teardown TCP connection 145843191077015440 for VLAN300:10.10.10.10/47026 to VLAN1300:10.26.34.20/6034 duration 0:00:20 bytes 230 Conn-timeout
%FWSM-6-302013: Built outbound TCP connection 145843191077015441 for VLAN300:10.10.10.10/47026 (10.26.34.10/47026) to VLAN1300:10.26.34.20/6034 (10.26.34.20/6034)
%FWSM-6-302014: Teardown TCP connection 145843191077015441 for VLAN300:10.10.10.10/47026 to VLAN1300:10.26.34.20/6034 duration 0:00:20 bytes 230 Conn-timeout
%FWSM-6-302013: Built outbound TCP connection 145843191077015442 for VLAN300:10.10.10.10/47026 (10.26.34.10/47026) to VLAN1300:10.26.34.20/6034 (10.26.34.20/6034)
%FWSM-6-302014: Teardown TCP connection 145843191077015442 for VLAN300:10.10.10.10/47026 to VLAN1300:10.26.34.20/6034 duration 0:00:20 bytes 230 Conn-timeout
%FWSM-6-302013: Built outbound TCP connection 145843191077015443 for VLAN300:10.10.10.10/47027 (10.26.34.10/47027) to VLAN1300:10.26.34.20/6034 (10.26.34.20/6034)
%FWSM-6-106015: Deny TCP (no connection) from 10.26.34.20/6034 to 10.26.34.10/47026 flags SYN ACK on interface VLAN1300
%FWSM-6-106015: Deny TCP (no connection) from 10.26.34.20/6034 to 10.26.34.10/47026 flags RST on interface VLAN1300
%FWSM-6-302014: Teardown TCP connection 145843191077015443 for VLAN300:10.10.10.10/47027 to VLAN1300:10.26.34.20/6034 duration 0:00:20 bytes 324 Conn-timeout
%FWSM-6-302013: Built outbound TCP connection 145843191077015444 for VLAN300:10.10.10.10/47027 (10.26.34.10/47027) to VLAN1300:10.26.34.20/6034 (10.26.34.20/6034)
%FWSM-6-302014: Teardown TCP connection 145843191077015444 for VLAN300:10.10.10.10/47027 to VLAN1300:10.26.34.20/6034 duration 0:00:20 bytes 230 Conn-timeout
%FWSM-6-302013: Built outbound TCP connection 145843191077015445 for VLAN300:10.10.10.10/47027 (10.26.34.10/47027) to VLAN1300:10.26.34.20/6034 (10.26.34.20/6034)
SHE-FW01# ping 10.26.34.20
Sending 5, 100-byte ICMP Echos to 10.26.34.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SHE-FW01# ping 10.10.10.10
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide