[c-nsp] FWSM v2.3.3 NAT issue

Christian Zeng christian at zengl.net
Wed Dec 28 06:34:20 EST 2005


Hi,

* Brett Looney <brett at looney.id.au> wrote:
>	global (INSIDE) 1 1.2.3.4
>	nat (OUTSIDE) 0 access-list NONAT-OUTSIDE outside
>	nat (OUTSIDE) 1 access-list NAT-OUTSIDE outside
>
>Connections from the outside interface used to appear to come from 
>1.2.3.4 for hosts on the inside. Now they don't - they appear to come 
>from the originator's real IP address.

I never used outside dynamic NAT, so my suggestions are more generic.

Does a 'show xlate' marks the connections in question as 'Outside'?

Are there any static statements 'nat x access-list' would collide with
(static (outside,inside)) or static statements for your inside hosts
(static (inside,outside)) configured? The last one would be necessary,
for outside NAT IIRC, even if it is only static identity NAT translating
inside hosts to the same addresses.

If you can afford loosing all established connections, try a 'clear
xlate'. Then try to initiate communication from an outside hosts and
look at the xlate table. This eliminates the influence of existing
xlate entries from connections initiated at the inside.

Best Regards,


Christian


More information about the cisco-nsp mailing list