i have amazing problem. i tryed to nat one of my private ip address to one of my public ip address in fwsm. it worked fine. for example, nat 192.168.1.1 to 22.214.171.124. my 6500 switch is connected via one 3560 switch to internet and all of my LAN devices connect via fwsm to internet. one of these servers is my isa server. Amazing problem start when:
if i connect one of NIC on isa server directly to3560 (this switch can directly connect to internet) and change the ip address on nic to 126.96.36.199, and change gateway address from FWSM to router interface that connected directly to internet, then isa server will work correctly and has internet. then if i return to previus config (change ip address on isa NIC from 188.8.131.52 to 192.168.1.1 and change gateway to FWSM ip address) it is not possible to access internet!!!
i test this experience with another public ip like 184.108.40.206 and result was same as before. i tryed to clear arp table on both fwsm and 3560 but problem didnt solve. please some one tell me why this problem happen and why i can not use my previous successful ip again? i had this problem in scenario like this on NETSCREEN500
i will go to customer site tomorrow, then i will prepare output. But, be aware the problem is not with isa server, because for exmple in safe state if NIC ip on public card on isa server is 220.127.116.11 and this ip connected to FWSM every thing is ok. Now, if i disconnect the public NIC on isa server and then use this ip address (18.104.22.168) on my notebook and connect my notebook to 3560 (this switch is located after firewall and connected directly to internet) i dont have iinternet. But if i use another public ip in my subnet (this ip must not used in FWSM), then if i set this new public ip on my note book, this will work fine.Also, if i disconnect my notebook and then use this ip on isa server and connect isa server directly on 3560, again this work fine. But if i connect my isa server with this new ip to FWSM, and again disconnect isa and use this ip on my notebook it not work on my note book. And if i connect again isa server to FWSM with same ip it not work.
I am not sure why you need to keep changing ip addresses on devices.
In any case, you will possibly be best having a pc that can do packet capture, and have a span of the vlan for the subnet 217.218.100.x to a port where the capture pc is connected, to see what mac addresses are being shown for the ip traffic. You can also check the arp entries on every device that are on same vlan to see what mac address maps to the ip address.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...