amazing problem with fwsm

a7_seven7 · ‎08-29-2010

i have amazing problem. i tryed to nat one of my private ip address to one of my public ip address in fwsm. it worked fine. for example, nat 192.168.1.1 to 217.218.100.2. my 6500 switch is connected via one 3560 switch to internet and all of my LAN devices connect via fwsm to internet. one of these servers is my isa server. Amazing problem start when:

if i connect one of NIC on isa server directly to3560 (this switch can directly connect to internet) and change the ip address on nic to 217.218.100.2, and change gateway address from FWSM to router interface that connected directly to internet, then isa server will work correctly and has internet. then if i return to previus config (change ip address on isa NIC from 217.218.100.2 to 192.168.1.1 and change gateway to FWSM ip address) it is not possible to access internet!!!

i test this experience with another public ip like 217.218.100.3 and result was same as before. i tryed to clear arp table on both fwsm and 3560 but problem didnt solve. please some one tell me why this problem happen and why i can not use my previous successful ip again? i had this problem in scenario like this on NETSCREEN500

praprama · ‎08-29-2010

Hi,

I am not sure if the problem is actually with the firewall. With the ISA server conected behind the FWSM, can you get the following outputs when trying to acccess the internet:

1) captures from inside and outside interface.

2) show conn | in 192.168.1.1

Also, please send the "show run" from the firewall also if possible.

Regards,

Prapanch

a7_seven7 · ‎08-29-2010

Hi

i will go to customer site tomorrow, then i will prepare output. But, be aware the problem is not with isa server, because for exmple in safe state if NIC ip on public card on isa server is 217.218.100.1 and this ip connected to FWSM every thing is ok. Now, if i disconnect the public NIC on isa server and then use this ip address (217.218.100.1) on my notebook and connect my notebook to 3560 (this switch is located after firewall and connected directly to internet) i dont have iinternet. But if i use another public ip in my subnet (this ip must not used in FWSM), then if i set this new public ip on my note book, this will work fine.Also, if i disconnect my notebook and then use this ip on isa server and connect isa server directly on 3560, again this work fine. But if i connect my isa server with this new ip to FWSM, and again disconnect isa and use this ip on my notebook it not work on my note book. And if i connect again isa server to FWSM with same ip it not work.

edadios · ‎08-30-2010

I am not sure why you need to keep changing ip addresses on devices.

In any case, you will possibly be best having a pc that can do packet capture, and have a span of the vlan for the subnet 217.218.100.x to a port where the capture pc is connected, to see what mac addresses are being shown for the ip traffic. You can also check the arp entries on every device that are on same vlan to see what mac address maps to the ip address.

Regards