In the object-group called Cluster is the 212.145.x.x (located on si interface with security-level 10) and the object-group called Range-Voice the 212.30.x.x (located on interface outside with security level 0)
The NAT + Global commands are the next:
nat (si) 1 access-list NAT-VOICE
global (outside) 1 212.145.x.x
When I launch a telnet, ping o rsh or whateverfrom a server on Cluster object-group to another one on Range-Voice I've detected there is no NAT is taking place. In fact, on the destination server I could see the requests from the server with its real ip, not nat IP.
The show conn command shows me the connection between the real source IP and destination. The sh xlate doesn't show anything...
Just one thing. The IP on global command is on the same network that si interface, that is, I'll change the IPs for this example, the interface si has 192.168.1.1/24 and the IP on global command is 192.168.1.200, could be it the problem?
Jon, the FWSM was upgraded from 3.1(4) to 3.1(17) cause the rsh protocol through nat does not work and the new version fixes a rsh bug.
The customer told me the NAT always worked before the upgrade and with the new versión not. Is it possible that nat+global can work?.
Just for clearing, note the access-list I typed on the first post:
access-list NAT-VOICE extended permit ip object-group Cluster object-group Range-Voice
The customer assures the NAT is working properly although the IP in global command is inside range of the source interface, the only protocol didnt work is rsh. Once done the upgrade, nothing works through NAT, telnet, icmp, SSH or whatever...
Edit: the rsh inspect was removed but without exit
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :