07-02-2010 10:08 AM - edited 03-11-2019 11:06 AM
Hi all,
I am trying to set a new context and want to allow ainternet ccess to users through new context...
Topology:
========
Internetrouter<==== FWSM (Admin, context1, context 2)<=====LAN
internet router inside and outside ip is public ip...
FWSM(outside of admin context and contex1 are allocated resource vlan 15 having same public subnet assigned)
and then Router inside interface is connected to access port(VLAN15)..
Inside interface for fwsm Context 1 is vlan 68 and one pc is attached to vlan 68.
I am able to ping internet router inside ip from PC(vlan 68) but not able to nat the inside traffic..
I assigned first PAT for inside subnet of context 1 and then also tried using static NAT but when chacking sh xlate i am not able to see any traslation... it show same address..
fwsm/context1#nat-control
fwsm/context1# sh xlate
1 in use, 2 most used
Global 192.168.3.234 Local 192.168.3.234
fwsm/context1# sh conn
6 in use, 15 most used
Network Processor 1 connections
UDP KPTLOUT 8.8.8.8:53 KPTL 192.168.3.234:1032 idle 0:01:46 Bytes 940 FLAGS - D
TCP KPTLOUT 4.2.2.2:21 KPTL 192.168.3.234:1549 idle 0:00:05 Bytes 132 FLAGS - s
i captured the traffic at inside interface which show the icmp traffic sending the request and getting reply on real ip..nat not working
21: 16:24:30.538159242 802.1Q vlan#68 P0 180.150.x.x > 192.168.3.234: icmp:
echo reply
22: 16:24:31.538160242 802.1Q vlan#68 P0 192.168.3.234 > 180.150.x.x: icmp:
echo request
23: 16:24:31.538160242 802.1Q vlan#68 P0 180.150.x.x > 192.168.3.234: icmp:
echo reply
24: 16:24:31.538160442 802.1Q vlan#68 P0 192.168.3.234 > 180.150.x.x: icmp:
echo request
159: 17:45:23.543013072 802.1Q vlan#68 P0 192.168.3.234.1544 > 4.2.2.2.21: S 23
47316862:2347316862(0) win 65535 <mss 1460,nop,nop,sackOK>
I have given NAT control also but no luck.. seems NAT is not working spl for new context...
need help..
Regards
Amar
07-03-2010 03:05 AM
Amar,
show ver
show run nat-co
show run nat
show run global
show run static
show run interface
show run same
Would be interesting to see before we move any further.
Marcin
07-03-2010 12:41 PM
Dear Marcin,
I have opened a TAC case for this and the SR is 614803557. i have attached the show-tech and show run of both context...
plz let me know if you need further details...
Please also find the TAC initial response...
=======================
Sharing an outside interface on the FWSM is supported , But the packet
classifier relies on active NAT sessions to classify the destination
addresses to a context, the classifier is limited by how you can
configure NAT. If you do not want to perform NAT, you must use unique
interfaces.
all vlan interfaces of FWSM share the same MAC address, so any kind of
routing is simply not possible over shared interface - the
packet classifier receives many packets from external world addressed to
the same FWSM MAC address and it can't understand which context they
belong to and which context they should be routed over. Packet
classifier does not take route table into consideration because internal
ip networks of contexts can overlap.
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide//co
ntxt_f.html#wp1124172
Please provide me with the following output from both contexts :
- show xlate detail
- show conn
- show local
=================================
Hope the above details help...
Regards
Amar
07-03-2010 02:38 PM
Amar,
If you're not sharing the inside interface sharing outside does not explain why packet is not NATed IF it matches the rules ;-)
I'll try to check up on the case it is however I have full confidence my counterparts in US will get to the bottom of it fast.
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide