We have a but of an oddity. We have an FWSM in a 6500 VSS stack, and some traffic appears to be forwarded back to the switch.
We have a transit LAN between the VRF on the 6500 and the FWSM. All routing appears correct - the route via the FWSM points to the IP of the FWSM. The Arp entry is correct, but for some entries that should be beyond the firewall if we do a tracert from the 6500 all responses are the outgoing interface address of the 6500.
I was told the SW was 7.2.1., but that does not appear valid for FWSM!
I am not sure if I follow you. You are saying that when you traceroute you do not see the FWSM as a hop? Well the firewall never shows itself as a hop. On the ASA there is a way to decrement TTL but not on the FWSM.
If the arp entry is correct pls. check the "sh mac-address-table vlan " and see if the FWSM mac is seen on the vlans that it firewalls.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...