Re: NAT behavior on FWSM 4.0

phatrachit · ‎08-09-2012

Hi all,

I have a question about NAT behavior on FWSM 4.0. The problem is email server (Company A) cannot connect to email gateway (Company B) on the outside network and it randomly happen. I got this error from server guy "Detail: xlate has blocked the connection between A’s mail gateway and B’s mail gateway". It work fine again after clear xlate on firewall.

=================================================================================================

FW-INTERNET# sh xlate global 158.137.21.26 debug

Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,

o - outside, r - portmap, s - static

32908 in use, 33983 most used

NAT from inside:158.137.21.26 to inside:158.137.21.26 flags Ii idle 0:00:06 timeout 3:00:00 connections 24

NAT from outside:158.137.21.26 to outside:158.137.21.26 flags Ii idle 2:31:38 timeout 3:00:00 connections 0

FW-INTERNET# sh conn foreign 158.137.21.26

65010 in use, 87131 most used

Network Processor 1 connections

TCP outside 158.137.21.26:56925 inside 102.45.14.108:25 idle 0:00:03 Bytes 1680666 FLAGS - UBOIX

Network Processor 2 connections

TCP outside 158.137.21.26:25 inside 102.45.14.108:21026 idle 0:00:27 Bytes 680 FLAGS - UIX

TCP outside 158.137.21.26:25 inside 102.45.14.108:40343 idle 0:00:00 Bytes 7970592 FLAGS - UOIX

TCP outside 158.137.21.26:25 inside 102.45.14.108:40664 idle 0:00:00 Bytes 416316 FLAGS - UOIX

TCP outside 158.137.21.26:25 inside 102.45.14.108:26325 idle 0:00:00 Bytes 1413646 FLAGS

158.137.21.26 => email gateway - Company B

102.45.14.108 => email gateway - Company A

=================================================================================================

1. How FWSM create xlate table like that? I mean it look like NAT0 for 158.137.21.26 but it doesn't has any nat rule for 158.137.21.26 on firewall.

2. What does it mean "connections 24" at the first of line? In the normal time, I only see the connections is 0 like the second line of xlate

3. After clear xlate global 158.137.21.26, the first line of xlate table is gone then email server can connect each other. Does is a bug on FWSM? or This is a normal NAT behavior of FWSM.

Ramraj Sivagnanam Sivajanam · ‎08-16-2012

Hi Bro

For some reason, your XLATE table is filled up. Hence, Email Server A (INSIDE) can’t communicate with Email Server B (OUTSIDE). I doubt this is a bug issue. I believe you’ve high network traffic/volume between INSIDE to OUTSIDE. Hence, this is affecting the communication between Email Server A (INSIDE) and Email Server B (OUTSIDE). Please do ensure your xlate timeout value isn’t modified, and kept to default i.e. 3 Minutes “timeout xlate 3:00:00”.

Listed below are some commands that you could type to investigate this issue further;

a) show np block (hardware buffer counters) - if they are non-zero and increasing it's bad. You're most likely running into hardware limitation of the FWSM.

b) show np all stats | i RTL and show np all stats | i RL will show you if the packets are dropped because of software rate limiting mechanisms built into network processors.

Perhaps, what you need is to enable the “xlate-bypass” command. By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. You can disable NAT sessions for untranslated network traffic, which is called xlate bypass, in order to avoid the maximum NAT session limit. The xlate-bypass command can be configured as shown:

hostname(config)#xlate-bypass

If the xlate-bypass doesn’t resolve your issue, please do ensure you’ve a static NAT or dedicated nat/global in place.

static (inside,outside) 102.45.14.108 192.168.1.108

Public IP Email Server A : 102.45.14.108

Private IP Email Server A : 192.168.1.108

The last resort is to enable sysoption np completion-unit, this magic option is invoking special processing created to address scenarios in which FWSM was known to introduce out of order packets for TCP streams.

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam