FWSM: NAT issue

Unanswered Question
Jul 2nd, 2010
User Badges:

Hi all,


I am trying to set a new context and want to allow ainternet ccess to users through  new context...



Topology:

========

Internetrouter<==== FWSM (Admin, context1, context 2)<=====LAN


internet router inside and outside ip is public ip...


FWSM(outside of admin context and contex1 are allocated resource vlan 15 having same public subnet assigned)

and then Router inside interface is connected to access port(VLAN15)..


Inside interface for fwsm Context 1 is vlan 68 and one pc is attached to vlan 68.


I am able to ping internet router inside ip from PC(vlan 68) but not able to nat the inside traffic..


I assigned first PAT for inside subnet of context 1 and then also tried using static NAT but when chacking sh xlate i am not able to see any traslation... it show same address..


fwsm/context1#nat-control

fwsm/context1# sh xlate
1 in use, 2 most used
Global 192.168.3.234 Local 192.168.3.234

fwsm/context1# sh conn
6 in use, 15 most used
Network Processor 1 connections
UDP KPTLOUT 8.8.8.8:53 KPTL 192.168.3.234:1032 idle 0:01:46 Bytes 940 FLAGS - D

TCP KPTLOUT 4.2.2.2:21 KPTL 192.168.3.234:1549 idle 0:00:05 Bytes 132 FLAGS - s


i captured the traffic at inside interface which show the icmp traffic sending the request and getting  reply on real ip..nat not working

  21: 16:24:30.538159242 802.1Q vlan#68 P0 180.150.x.x > 192.168.3.234: icmp:
echo reply
  22: 16:24:31.538160242 802.1Q vlan#68 P0 192.168.3.234 > 180.150.x.x: icmp:
echo request
  23: 16:24:31.538160242 802.1Q vlan#68 P0 180.150.x.x > 192.168.3.234: icmp:
echo reply
  24: 16:24:31.538160442 802.1Q vlan#68 P0 192.168.3.234 > 180.150.x.x: icmp:
echo request

159: 17:45:23.543013072 802.1Q vlan#68 P0 192.168.3.234.1544 > 4.2.2.2.21: S 23
47316862:2347316862(0) win 65535 <mss 1460,nop,nop,sackOK>


I have given NAT control also but no luck.. seems NAT is not working spl for new context...


need help..



Regards

Amar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Marcin Latosiewicz Sat, 07/03/2010 - 03:05
User Badges:
  • Cisco Employee,

Amar,


show ver

show run nat-co

show run nat

show run global

show run static

show run interface

show run same


Would be interesting to see before we move any further.


Marcin

amardram123 Sat, 07/03/2010 - 12:41
User Badges:

Dear Marcin,


I have opened a TAC case for this and the SR is 614803557. i have attached the show-tech and show run of both context...

plz let me know if you need further details...


Please also find the TAC initial response...

=======================

Sharing an outside interface on the FWSM is supported , But the packet

classifier relies on active NAT sessions to classify the destination

addresses to a context, the classifier is limited by how you can

configure NAT. If you do not want to perform NAT, you must use unique

interfaces.

all vlan interfaces of FWSM share the same MAC address, so any kind of

routing is simply not possible over shared interface - the

packet classifier receives many packets from external world addressed to

the same FWSM MAC address and it can't understand which context they

belong to and which context they should be routed over. Packet

classifier does not take route table into consideration because internal

ip networks of contexts can overlap.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide//co

ntxt_f.html#wp1124172

Please provide me with the following output from both contexts :

- show xlate detail

- show conn

- show local

=================================

Hope the above details help...

Regards

Amar

Marcin Latosiewicz Sat, 07/03/2010 - 14:38
User Badges:
  • Cisco Employee,

Amar,


If you're not sharing the inside interface sharing outside does not explain why packet is not NATed IF it matches the rules ;-)


I'll try to check up on the case it is however I have full confidence my counterparts in US will get to the bottom of it fast.


Marcin

Actions

This Discussion