We have an FWSM running 3.1.3 in routed mode, single context. It has been running fine (as far as we can tell) since July06.
It runs in a 6509 with Sup32/CatOS 8.5.3
The MSFC is not being used and has not been configured.
The FWSM routes traffic between 3 vlans:
ip address X.Y.45.245 255.255.255.0
description Systems Vlan
ip address X.Y.16.120 255.255.255.128
description Users Vlan
ip address X.Y.16.240 255.255.255.128
The issue: traffic going from vlan481 to vlan480 shows up on interface vlan400. I can see it with a sniffer, and also gets denies in syslog.
Jan 23 00:54:18 hostname %FWSM-4-106023: Deny udp src external:X.Y.16.144/2422 dst systems:X.Y.16.108/389 by access-
group "external_access_in" [0x0, 0x0]
Note that the denied traffic came from user vlan (481), went out the external interface, was sent back to the FWSM by our gateway, and is denied as it tries to re-enter the FWSM to be routed to the server vlan (480)
I don't understand why such traffic would be routed out to the external interface.
This doesn't make sense to me. Why would the traffic be routed out to the external interface in the first place.
What's even more troubling, is that the issue never surfaced before 2 days ago. I went through the log files for the last month and couldn't find any such Deny.
The FW configuration didn't change in the last 2 weeks.
Just to add some information that might be relevant, we are not using translation in this setup. However I had to setup some static because the hosts on the external interface use a /16 subnet mask.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...